Lecture Notes in 
Computer Science 



Edited by G. Goos and J. Hartmanis 



218 



Advances in Cryptology - 
CRYPTO '85 

Proceedings 



Edited by Hugh C. Williams 




Springer-Verlag 

Berlin Heidelberg New York Tokyo 



Editorial Board 

D. Barstow W. Brauer P. Brinch Hansen D. Gries D. Luckham 
C. Moler A. Pnueli G. Seegmuller J. Stoer N. Wirth 

Editor 

Hugh C. Williams 

Department of Computer Science, University of Manitoba 
Winnipeg, Manitoba R3T 2N2, Canada 



CR Subject Classifications (1985): E.3 

ISBN 3-540-16463-4 Springer-Verlag Berlin Heidelberg New York Tokyo 
ISBN 0-387-16463-4 Springer-Verlag New York Heidelberg Berlin Tokyo 



CIP-Kurztitelaufnahme der Deutschen Bibliothek. Advances in cryptology: proceedings of 
CRYPTO - Berlin, Heidelberg; New York; Tokyo; Springer 

Teilw. m d. Vorlage auch: Workshop on the Theory and Application of Cryptograph, Techniques 

NE CRYPTO 1985 11986), 

(Lecture notes in computer science; Vol, 218) 

ISBN 3-540-16463-4 (Berlin i 

ISBN 0-387-16463-4 (New York , 

NE: GT 

This work is subject 10 copyright. All rights are reserved, whether the whole or part of the material 
is concerned, specifically those of translation, reprinting, re-use of illustrations, broadcasting, 
reproduction by photocopying machine or similar means, and storage in data banks. Under 
§ 54 of the German Copyright Law where copies are made for other than private use, a fee is 
payable to "Verwertungsgesellschaft Wort", Munich 

c by Springer-Verlag Berlin Heidelberg 1986 
Printed in Germany 

Printing and binding: Beltz Offsetdruck, Hemsbach/Bergstr 
2145/3140-543210 



Preface 



In the summer of 1981 Allen Gersho organized the first major open conference ever 
devoted to cryptologic research. This meeting, Crypto '81, was held at the University of 
California campus in Santa Barbara. Since then the Crypto' conference has become an 
annual event. These are the proceedings of the fifth' of these. conferences, Crypto 85. 

Each section of this volume corresponds to a session at the meeting. The papers 
were accepted by the program committee, sometimes on the basis of an abstract only, and 
appear here without having been otherwise refereed. The last section contains papers lor 
some of the impromptu talks given at the traditional rump session. Each of these papers 
was refereed by a single member of the program committee. An author index as well as a 
keyword index, the entries for which were mainly supplied by the authors, appear al ihe 
end of the volume. 

Unfortunately, two of the papers accepted for presentation at Crypto '85 could noi 
be included in this book they are: 

Unique Extrapolation of Polynomial Recurrences 

J.C. Lagarias and J. A. Reeds (A.T. & T Bell Labs) 

Some Cryptographic Applications of Permutation Polynomials and 
Permutation Functions 

Rupert Nobauer (Universitat fur Bildungswissenschaften, Austria) 

It is my great pleasure to acknowledge the efforts of all of those who contributed to 
making these proceedings possible: the authors, program committee, other organizers of 
the meeting, IACR officers and directors, and all the attendees. I would also like to ihank 
Lynn Montz of Springer-Verlag for her patient assistance in preparing this volume. 



Winnipeg, Manitoba, Canada ll.C.W. 
January 1986 



1 Proceedings of the other Crypto conferences have also been published. The interested 
reader can find these listed in the preface of Advances i n Crvptologv 84 (the proceedings of 
Crypto '84), published by Springer-Verlag. 



CRYPTO 85 



A Conference on the Theory and Application of Cryptographic Techniques 



held at the University of California, Santa Barbara, 
through the co-operation of the 
Computer Science Department 



August 18-22, 1985 



sponsored by 



The International Association for Cryptologic Research 



in co-operation with 



The IEEE Computer Society Technical Committee 
on Security and Privacy 



Organizers 



Ernest F. Brickell (Bell Communications Research), General Chairman 

H.C. Williams (University of Manitoba), Program Chairman 

Thomas A. Berson (Sytek, Inc.), Program 

Joan Boyar (University of Chicago), Program 

Donald W. Davies (Data Security Consultant), Program 

Oded Goldreich (MIT/Technion), Program 

Alan G. Konheim (UCSB), Local Arrangements 

Carol Patterson (Sandia Laboratories), Registration 

Ron Rivest (MIT), Program 

Joe Tardo (DEC), Show and Tell 



CONTENTS 



SECTION I: SIGNATURES AND 
AUTHENTICATION 



Breaking the Ong-Schnorr-Shamir Signature Scheme 

for Quadratic Number Fields 3 

Dennis Estes, Leonard M. Adleman, Kireeti Kompella, 
Kevin S. McCurley, and Gary L. Miller 

Another Birthday Attack 14 

Don Coppersmith 

Attacks on Some RSA Signatures 18 

Wiebren de Jonge and David Chaum 

An Attack on a Signature Scheme Proposed by 

Okamoto and Shiraishi 28 

Ernest F. Brickell and John M. DeLaurentis 

A Secure Subliminal Channel (?) 33 

Gustavus J. Simmons 

Unconditionally Secure Authentication Schemes and 

Practical and Theoretical Consequences 42 

Yvo Desmedt 



SECTION II: PROTOCOLS 

On the Security of Ping-Pong Protocols When Implemented 



Using the RSA 58 

Shimon Even, Oded Goldreich, and Adi Shamir 

A Secure Poker Protocol that Minimizes the Effect of 

Player Coalitions 73 

Claude Crepeau 

A Framework for the Study of Cryptographic Protocols 87 

Richard Berger, Sampath Kannan, and Rene Peralta 

Cheating at Mental Poker 104 

Don Coppersmith 

Security for the DoD Transmission Control Protocol 1 08 

Whitfield Diffie 



Symmetric Public-Key Encryption 

Zvi Galil, Stuart Haber, and Mod Yung 



VIII 



SECTION III: COPY PROTECTION 

Software Protection: Myth or Reality? 140 

James R. Gosler 

Public Protection of Software 158 

A. Herzberg andS. Pinter 

Fingerprinting Long Forgiving Messages 180 

G.R. Blakley, Catherine Meadows, and G.B. Purdy 

SECTION IV: SINGLE KEY CRYPTOLOGY 

Cryptanalysis of DES with a Reduced Number of Rounds 192 

David Chawn and Jan-Hendrik Evertse 

Is DES a Pure Cipher? (Results of More Cycling Experiments 

on DES) 212 

Burt S. Kaliski, Ronald L. Rivest, and Alan T. Sherman 

A Layered Approach to the Design of Private Key Cryptosystems 227 

T.E. Moore and S.E. Tavares 

Lifetimes of Keys in Cryptographic Key Management Systems 246 

E. Okamoto and K. Nakamura 

Correlation Immunity and the Summation Generator 260 

Rainer A. Rueppel 

Design of Combiners to Prevent Divide and Conquer Attacks 273 

T. Siegenthaler 

On the Security of DES 280 

Adi Shamir 

Information Theory Without the Finiteness Assumption, IT 

Unfolding the DES 282 

G.R. Blakley 

SECTION V: TWO KEY CRYPTOLOGY 

Analysis of a Public Key Approach Based on Polynomial 340 

Substitution 
Harriet Fell and Whitfield Diffie 

Developing an RSA Chip 350 

Martin Kochanski 



IX 



An Public-Key Encryption Scheme 358 

H.C. Williams 

Trapdoor Rings and Their Use in Cryptography 369 

V. Varadharajan 

On Computing Logarithms Over Finite Fields 396 

Taher El Gamal 

On Using RSA with Low Exponent in a Public Key Network 403 

Johan Hastad 

Lenstra's Factorisation Method Based on Elliptic Curves 409 

N.M. Stephens 

Use of Elliptic Curves in Cryptography 417 

Victor S. Miller 

SECTION VI: RANDOMNESS AND OTHER 

PROBLEMS 

Cryptography with Cellular Automata 429 

Stephen Wolfram 

Efficient Parallel Pseudo-Random Number Generation 433 

J.H. ReifandJD. Tygar 

How to Construct Pseudo-random Permutations from 

Pseudo-random Functions 447 

Michael Luhy and Charles Rackoff 

The Bit Security of Modular Squaring Given Partial 

Factorization of the Modulos 448 

Benny Chor, Oded Goldreich, and Shaft Goldwasser 

Some Cryptographic Aspects of Womcodes 458 

Philippe Godlewski and Gerard D. Cohen 

How to Reduce Your Enemy's Information 468 

Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert 

Encrypting Problem Instances: Or ... Can you Take Advantage 

of Someone Without Having to Trust Him? 477 

Joan Feigenbaum 

Divergence Bounds on Key Equivocation and Error 

Probability in Cryptanalysis 489 

J. van Tilburg andD.E. Boekee 



X 



SECTION VII: IMPROMPTU TALKS 



A Chosen Text Attack on the RSA Cryptosystem and 

Some Discrete Logarithm Schemes 516 

Y. Desmedt and A.M. Odlyzko 

On the Design of S-boxes 523 

A.F. Webster and S.E. Tavares 

The Real Reason for Rivest's Phenomenon 535 

Don Coppersmith 

The Importance of "Good" Key Scheduling Schemes (How to 

Make a Secure DES Scheme with < 48 Bit Keys?) 537 

7.-7. Quisquater, Y. Desmedt, and M. Davio 

Access Control at the Netherlands Postal and 

Telecommunications Services 543 

W. Haemers 

Author Index 545 

Keyword Index 546 



Breaking the Ong-Schnorr-5hamir Signature Scheme 
for Quadratic Number Fields 

Dennis Estes ^ 
Leonard M. Adleman (2) (») 
Kireeti Kompella (2) 
Kevin S. McCurley (,) 
Gary L. Miller C2) 

(') Department of Mathematics 
University of Southern California 
Los Angeles, CA90089-1 1 13 

< 2 > Department of Computer Science 
University of Southern California 
Los Angeles, CA 90089-0782 



1. Introduction 

Recently Ong, Schnorr, and Shamir [OSS I, 0SS2] have presented new public key 
signature schemes based on quadratic equations. We will refer to these as the OSS 
schemes. The security of the schemes rest in part on the difficulty of finding solutions 
to 

X 2 - KY 2 = M (mod n), (1) 

where n is the product of two large rational primes. In the original OSS scheme [OSS1], 
K, M, X, and Y were to be rational integers. However, when this version succumbed to an 
attack by Pollard [PS,S1 ] , a new version was introduced [0SS2], where li, X, and Y were 
to be quadratic integers, i. e. elements of the ring Z[/d~]. In this paper we will show 
that the OSS system in Z[/d"] is also breakable. The method by which we do this is to 



"Research sponsored by NSF Grant *53-45 10-2651 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 3-13, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



4 



reduce the problem of solving the congruence over the ring Z[/d" ] to the problem of 
solving the congruence over the integers, for which we can use Pollard's algorithm. 

The OSS signature scheme described in [0SS2] was intended to provide a method by 
which a person can sign messages with the assurance that no one, including the 
receiver, can forge the signature, and so that anyone can easily verify the validity of 
both the signature and the message. It works as follows: Party A generates two 
rational primes p and q each about 300 bits long, using the same care as in the key 
generation for RSA to ensure that n = pq cannot be easily factored by known methods. 
Party A also chooses random integers d, tg, and t] such that (n,tQ 2 -dtj 2 ) = 1, and 
publishes n, d, and Ks (t 0 + t|/d~) 2 (mod n), keeping tg, t], p, and q secret. (In [0SS2], 
they took K e Z, but we will show that the scheme is insecure with K € Z[/cT ]). The 
messages consist of pairs of integers (Mq.Mi) from the interval [l,n). In order to sign a 
message, party A uses the secret key (tg.t]) to construct a solution to the congruence 
X 2 - KY 2 a Mq + li]/d" (mod n). The receiver of the message can easily verify that the 
message was the one signed by party A. In order for the scheme to be secure, the 
receiver should have some assurance that no one can forge the signature without 
knowledge of the secret key K. 

It was presumed that it would be hard to solve congruence ( 1 ) without knowing the 
secret keys, in part because Z[/cF] is not in general a Euclidean domain, and Pollard's 
algorithm resembles the Euclidean algorithm in some ways. In this paper we will show 
that the problem of solving ( 1 ) over Z[/d~] can be reduced to the problem of solving 
(1) over Z. Pollard's algorithm can then be used to solve the problem over Z, giving 
then also a solution over Z[/d~]. Because we use Pollard's algorithm, the method 
constructs a solution to the congruence without necessarily producing the secret keys. 
The most general OSS scheme was based on a polynomial congruence modulo a 
composite integer. Even though both of the quadratic OSS shemes have now been broken, 
it remains an open question whether the most general form of the OSS scheme can be 
broken. 

In this paper, when we write x 0 +X|/d syn + y|/d"(modn) we mean that 
x O s yo( mocln ) and X| s y^mod n). In general, an element X of the ring Z[/d"] will 
be written as X = X 0 +X 1 /d~, and we will write N(X) for the norm of X, namely 



5 



N(X) = X 0 2 -dX | 2 . If XeZ[/d"J and (N(X),n) = I, then X is invertible modulo n, and we 
write X = Xq + for the inverse. Note that 

X" 0 = X 0 N(X) _, (mod n), 

X| s-XjNtt)" 1 (mod n), 
and these can be calculated using the Euclidean algorithm, even though ll/d] may not 
be a Euclidean domain. 

To begin, we consider four computational problems: 

Problem I 

INPUT A, M, n e 2, (n,A) = (n,M) = 1 . 

OUTPUT X, Y e Z such that X 2 + AY 2 = IK mod n). 

Problem II 

INPUT A, B, C, M, n € Z, n\A, n|B, nj(C 2 -AB), njtt 
OUTPUT Either a) orb): 

a) X, Y € Z such that AX 2 ♦ BY 2 + 2CXY = M (mod n). 

b) m e Z such that 1 < m < n and m I n. 

Problem III 

INPUT d,n€Z, K = K 0 +K,/d J M = M 0 +M|/d J (N(Kr1),n)= 1, n|ri|, njd. 
OUTPUT Either a), b), ore): 

a) X, Y e Z[/d~], c e Z such that (c,n) = 1 and X 2 - KY 2 = cM (mod n). 

b) m e Z such that 1 < m < n and m I n. 

c) S € Z[/d~] such that S 2 ■ K (mod n). 

Problem IV 

INPUT: d, neZ.K, M€Z[/d"],(N(KM),n)= 1. 
OUTPUT: X, Y € Z[/d~] with X 2 - KY 2 = M (mod n). 



We shall prove: 



6 



Theorem I Problem II is solvable in polynomial time with an oracle for Problem I. 
Theorem 2 Problem III is solvable in polynomial time with an oracle for Problem II. 
Theorem 3 Problem IV is solvable in polynomial time with an oracle for Problem III. 

The security of the original OSS scheme was based on the difficulty of solving 
Problem I when N = pq, the product of two large primes. Pollard produced an algorithm 
for Problem I which is believed to run in deterministic polynomial time, and as a 
consequence was able to break the original OSS signature scheme The details of his 
algorithm should appear in a joint paper of Pollard and Schnorr [PS], where they will 
prove under the assumption of an extended Riemann hypothesis that Pollard's algorithm 
for Problem I runs in random polynomial time. It should be mentioned that in this paper 
they also outline a method similar to ours for solving Problem III, having made this 
discovery independently of the authors. 

Three of the authors (A., E. and Mc.) have recently discovered a variation of 
Pollard's algorithm that allows us to prove that Problem I is solvable in random 
polynomial time, removing the assumption of the extended Riemann hypothesis in 
Pollard and Schnorr's result. Our variation of Pollard's algorithm is not a practical 
procedure for breaking the OSS scheme, but it has the advantage that one can rigorously 
analyse its running time without any hypothesis. The details of this will appear in a 
later paper. 

As a consequence of these results, it follows that Problem IV is solvable in 
random polynomial time, and therefore that the OSS signature scheme over Zt/d~l is 
insecure. 

Several remarks are in order here before we proceed. 

1. The assumption that (N(KM),n) = 1 is made primarily for convenience. In the OSS 
signature scheme, n was taken to be the product of two large primes, and the 
scheme is compromised if the factorization of n can be discovered. Therefore 
values of N(K) and N(h) which have a nontrfvial factor in common with n are not 



7 



of any interest. 

2. If n is not squarefree, then our algorithm for solving ( 1 ) may not work if 

1 < (N(M),n) < n. The reason for this is illustrated by the example n = t 2 , where t is 
composite, and t|M Our algorithm might detect the factorization n = t 2 , and try 
to use Hensel's lemma to construct a solution modulo t 2 from a solution modulo 
t. Modulo t, however, the congruence reduces to X 2 - KY 2 s o (mod t). Without 
knowing the factorization of t, the only solution we can construct in this case is 
the trivial one with X = Y = 0, and this solution will not work in Hensel's lemma. In 
fact, Rabin [R] has observed that any algorithm which produces solutions to 
X 2 - KY 2 s 0 (mod n) can be used as a probabalistic algorithm for factoring n. This 
provides a reason for believing that ( 1 ) may be hard to solve if (N(KM),n) > 1 . 

3. In the OSS scheme, K was assumed to be a square modulo n, and part of the secret 
key used to sign messages was -/kTCmod n). It turns out that this information is 
not necessary for signing messages in polynomial time 

4. If n is odd, then a solution to (1) exists if (N(KM),n) = l . If n is even, then not all 
messages M can be signed, even if (N(KM),n) = 1. In particular the message M = /d~ 
is not signable if Kj is even, (where K = Kq+Kj/cF), so /d~ is not signable if K is a 
square. Our method will produce a solution to (1) if such a solution exists. 

2. Proof of Theorem 1 

The proof of Theorem 1 is elementary, requiring only that we complete the square. 
To begin, if 1 <(A,n) or 1 < (B,n) or 1 < (M,n) or I < (C,n) < n, then the Euclidean 
algorithm will produce a nontrivial factor of n. If 1 =(A,n) = (B,n) = (M,n) and n|C, then 
solving the congruence in question is equivalent to solving 



X 2 + BA"'Y 2 = MA _1 (modn). 



8 



An oracle for Problem I now produces a solution. The only case remaining is if 
(A,n) = (B,n) = (C,n) = (M,n) = 1 . By completing the square we get 

(X+CA _1 Y) 2 - [(CA _ 1) 2 -(BA^lY 2 = MA' 1 (mod n). (2) 

Substituting Z = Y and W = X+CA"W gives 

W 2 - [(OA - ') 2 - (BA"')]Z 2 s MA -1 (mod n). (3) 

By assumption n \ [(CA"') 2 -(BA -1 )], so either (n , C 2 -AB) gives a nontrivial factor of 
n or else an oracle for Problem I produces a solution W, Z to (3). In the latter case, 
Y = Z and X = W - CA" V is a solution to the original congruence. 



3. Proof of Theorem 2 

If 1 < (M, , n) < n, then the Euclidean algorithm gives a nontrivial factor of n, so 
we may assume that (M,,n)=1 Since (N(M),n)=1, it follows that M is invertible 
modulo n, and we can use the Euclidean algorithm to calculate M = Mo+rT,/cf such that 
MM s l (mod n). If we now want to solve 

(X 0 +X ,/d") 2 - (Kq+Kj/cTxYo+Y ,/d") 2 = M 0 +M ,/d"(mod n), (4) 

then it suffices to solve 

(Hg+rT , /d" )(X 0 +X ,/d") 2 - (r 0 +r ,/d XY 0 +Y ,/d") 2 = 1 (mod n), (5) 

where r 0 +r,/d = (fl 0 *M,/d )(K 0 +K|/d ). Setting Y 0 = 1 andY, = 0, the left hand side 
of the congruence (5) becomes 



{ f1 0 X 0 2 ♦ M 0 dX, 2 * 2dM,X 0 X, - r 0 } ♦ { M,X 0 2 ♦ f1,dX, 2 ♦ 2t1 0 X 0 X, - r, } /d". 



9 



By our assumptions we have that (Mj,n)=1, n^Mjd, and nj(F 0 2 -dMj 2 ). Therefore 
using an oracle for Problem II, we either get a nontrivial factor of n or a solution Xq, 
X | to the congruence 

F]X 0 2 + rTjdX] 2 + 2M 0 X 0 X| s r, (modn). 

Let c = M 0 X o 2 + rTndX, 2 + 2dM t X 0 X, - r 0 . If (n,c) = 1, then 

(X 0 +X ,/d") 2 - (K 0 +K ]/d")( 1 +0/cT) = c(M 0 *r1 1 7?) (mod n), 

giving an output of type a). If n|c, then 

(X 0 + X|/cT) 2 = KQ+Kj/d (mod n), 

giving an output of type c). If 1 <(n,c)<n, then we get a nontrivial factor of n. 

4. Proof of Theorem 5 

We now show how to solve Problem IV, i.e. how to find solutions of the congruence 

(X 0 *X|/d") 2 -(K 0 +K ) /d")(Y 0 *Y 1 /d) 2 sM 0 *M,/d" (mod n), (6) 

where (N(KM),n) = 1. The method uses two appeals to an oracle for Problem III, 
essentially to replace K and M by integers. There are however several possible outputs 
from Problem III, and we must show how to solve the congruence (6) in each case. 

Let us first observe that if n = 2 a np where n t is odd, then it suffices to solve the 
congruence separately modulo 2 a and modulo n|, since we can then use the Chinese 
Remainder Theorem to construct a solution modulo n. In order to construct a solution 
modulo 2 a when a i 3, we can simply try all of the finite number of possible values 
for X and Y. 



10 



If a > 3, then we first construct a solution modulo 8 (if it exists). We will now 
show how to use Hensel's lemma to lift the solution modulo 8 to a solution modulo 2 a . 
Let X = Xq + X|/cT and Y = Y 0 + be a solution of the congruence 
x 2 . « Y 2 = M ( mod 2 b) j where b ^ 3 v/e want to choose Z, W e Z[/cT] such that 

(X + 2 b_1 Z) 2 - K(Y + 2 b_1 W) 2 = M (mod 2 b+1 ). (7) 
Since b 1 3, this is equivalent to 

X 2 - KY 2 - M + 2 b (XZ - KYW) = 0 (mod 2 b+ '). 

Let X 2 -KY 2 - M = 2 b R, with R e Z[/?]. Then it suffices to find Z and W satisfying 

XZ - KYW = -R (mod 2). (8) 

Since (N(KM),2)=1, X 2 = N(X) (mod 2) and Y 2 = N(Y) (mod 2), it follows that either 
(N(X),2)=1 or (N(KY),2) = 1 , so that either X or KY is invertible modulo 2. If X is 
invertible modulo 2, then a solution of (8) is given by Z=-XR and W = 0. If KY is 
invertible, then we take Z = 0 and W=KYR. Since (7) is solvable, we can lift the 
solution modulo 2 b to a solution modulo 2 bt '. 

It now suffices to show how to solve the congruence (6) in the case n is odd. 
Consider first the case that n|d. In this case (6) reduces to the system of 
congruences 

X 0 2 - K 0 Y 0 2 = M 0 (mod n) 

2XqX , - K ,Y 0 2 - 2K 0 Y 0 Y , = M ( (mod n). 

Since (N(K),n)-l and (N(M),n) - 1 , it follows that (K 0 ,n) = l and (M 0 ,n)= I, so that an 
oracle for Problem I will produce a solution X 0 , Yq to tfie f' rst of tnese congruences. 
Furthermore, at least one of 2X 0 and 2K 0 Y 0 will be relatively prime to n since 
(MQ,n) =1 and n is odd. Hence the second congruence above can be solved using the 



11 



Euclidean algorithm. 

Next we consider the case n odd and ofd. One of the possible outputs from 
Problem III is a factorization n = n |n 2 . If (ni,n 2 ) * 1 , then we can solve the congruences 
X 2 - KY 2 = M(mod nj) and combine the results with the Chinese Remainder Theorem to 
get a solution of (6). This splitting procedure will be required at most O(logn) times. 
If in the factorization n = n^2 we have (n],n 2 )> 1, then let G'Cnj.r^), n = G 2 H], and 
Gi = (G,H]). lfG]=l andHj* 1, then we have a relatively prime factorization and can 
use the Chinese Remainder Theorem. If G j > 1 , then write n = G 2 G 1H2, and let G 2 = (G,H 2 ). 
Continuing in this manner, since the Hj's are decreasing, we either arrive at a value 
Hj = 1 , or else we find 6j = 1 which produces a relatively prime factorization of n. If 
Hj = I, then it is easy to see that p|n if and only if p|6. Hence we can run the algorithm 
with n replaced by G, and later use Hensel's Lemma to construct a solution modulo a 
sufficiently large power of G that is divisible by n. It should be remarked that the 
computations required to apply both Hensel's Lemma and the Chinese Remainder 
Theorem can be carried out in deterministic polynomial time. 

Another possible output from Problem III is a square root of K modulo n. If we 
know 5 € Z[Jd] with S 2 = K (mod n), then as in [OSS2] we get the factorization 
X 2 - KY 2 = (X - SYXX + SY). It then suffices to solve the linear system 

X - SY = 1 (mod n), 
X + SY = M(mod n). 

Notice that S is invertible mod n, and also that 2 is invertible mod n since we have 
assumed that n is odd. Hence the solution to the linear system is provided by 

Xs(M*l)/2 (modn) 
Y = (M-1)/(2S)(modn). 

We may now disregard the cases in which the output from the oracle for Problem 
III is not of type a). The first step in solving (6) is to reduce to solving 



12 



(X ♦ Y/d~) 2 - (K 0 ♦ K t /d~ )(W + Z/d ) 2 = c (mod n), (9) 

where c eZ. If n |M j, then (6) is already in the desired form. If njlij, then use an 
oracle for Problem III to obtain X 0 , X ]( Y Qj Y l« c sucn tnat (c,n)- I and 

(X 0 +X ,/d~) 2 - (Kq+k i/d)(Y 0 +Y ,/d") 2 = c(r1o+M ,/d) (mod n). 

(The procedure if the oracle returns a type b) or c) output has already been dealt 
with.) Using an idea from Pollard's original algorithm (see [S] or [PS]) it is now enough 
to solve (9), since we can use the composition of binary quadratic forms to construct a 
solution to (6). By the observation of Lenstra (see [0SS2]), the roles of K and c are 
interchangeable, so to solve (9) it suffices to solve 

(X + Y/d") 2 - c(W + Z/d") 2 = (Kq* K|/d") (mod n). ( 1 0) 

By the same reasoning that led us to the problem of solving (9), we can use an oracle 
for Problem III in order to reduce (10) to the problem of solving 

(X + Y/d") 2 - c(W + Z/d") 2 = b (mod n), (11) 

where beZ satisfies (b,n)=l. Finally we use an oracle for Problem I to solve (10 
over the rationals. 

References 

0551 H. Ong, C. P. Schnorr, and A. Shamir, "An Efficient Signature Scheme Based on 
Quadratic Equations," Proc. 1 6th ACM Symp. Theor. Comput. ( 1 984) 208-2 1 6. 

0552 H. Ong, C. P. Schnorr, and A. Shamir, "Efficient Signature Schemes based on 
Polynomial Equations," to appear In Crypto 84, Lecture Notes In Computer 
Science, Springer- Verlag, N. Y., 1984. 



13 



PS J. M. Pollard and C.-P. Schnorr, "Solution of x 7 + ky 7 s m (mod n), with 
applications to digital signatures", preprint, 1 985. 

SI J. Shallit, "An Exposition of Pollard's Algorithm for Quadratic Congruences," 
Technical Report 84-006, Department of Computer Science, University of 
Chicago, Dec. 1 984 

R MO. Rabin, "Digitalized signatures and public-key functions as intractable as 
factorization," W.T. Laboratory for Computer Science, Technical report 
LCS/TR-2I2J979. 



ANOTHER BIRTHDAY ATTACK 



Don Coppersmith 
IBM Research 
Yorktown Heighls, NY 10598 



Abstract: We show that a meet-in-the-middle attack can successfully defraud the Davies-Price message 
authentication scheme. Their scheme used message blocks in an iterated encipherment of an initial block, and it went 
through the message blocks twice, in order to prevent just such a "birthday" attack. 

Background 

This note concerns methods for attaching a digital signature to a long message. There are several proposals for 
hashing the long message into a shorter hashed value, which can then be digitally signed by a more expensive tech- 
nique, for example RSA. [RSA] This allows the signature to be publicized without revealing the content of the mes- 
sage; it allows a shorter signature; and it decreases the computation time necessary for computing or checking 
signatures. [Den] 

Rabin [Rab] introduced a scheme, based on a general block cipher. It can be described in terms of DES, although 
Rabin's proposal did not use DES- In this scheme, the message M would be broken into 56-bit blocks Mj, and these 
message blocks would be used as keys for the iterated encipherment of some initial value Hq. The final encipherment, 
along with the initial value, would form the hash value. Thus 

Hq - random 
RSA-Sign (tf 0 , H„). 

(Notation; here and throughout, EgCX) is the DES encipherment of the cleartext X under the key K; Dj^Y) is the DES 
decipherment of the ciphertext Y under the key K.) 

The problem with this scheme in conjunction with DES, is a "meet-in-the-middle" or "birthday" attack. The op- 
ponent, knowing the RSA-signature of the pair (Hq, H n ) arising from some legitimate message M 1 , can devise a mes- 
sage M whose content is largely selected by the opponent, but whose hash value is also (Hq, H„). Thus the 
RSA-signature of (Hq, H n ) can be reused to sign this bogus message. 

To accomplish this, the opponent need only evaluate 2 33 encipherments, instead of the 2 64 required by the naive 

32 9 

trial-and-error approach. (He also uses 2 — 4 x 10 storage.) Namely, the opponent specifies values of 

32 

M^.Mi- ■•• , M„-2- Using the given value of Hq, he computes successively H[, // 2 #,i-2- Th en f° r eacri °f 2 

trial values X for the message block M„_^, he computes that value H„_\[X\ - E^n-2> which #„_i would have if 

32 32 
X were chosen for M„_ y. These 2 values are sorted and stored. Now for each of 2 trial values Y for the message 

block M n , he computes that value H r „_- i [Y] — DyiH n ) which f/„_j would need to have in order for H„ to have its 

correct value, under the assumption that Y were chosen for M n . Each of these values is compared against the sorted 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 14-17, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



15 



values for H n _ X [X\. If a match is found (H n _ l [X] - H'„_i[>1) then the assignments M ll _ 1 = X, M u - Y complete 
the message M to one satisfying our requirements. Finally, the expected number of "successful" pairs (X,Y) is 1, so 
that we will find one with reasonable probability; this probability can be increased by a modest increase in the work 
factor. 

The Davies-Price Scheme 

Davies and Price [DP] introduced another DES-based message authentication scheme, by which they hoped to 
avoid this attack. Their scheme differs from Rabin's in that they cycle through the message blocks twice. Thus, 

Hq — random 

Hi-E M .{Hi_ x ), l<i<« 
RSA-Sign (H 0 , H 2 „). 

In the present note, we mount an attack on this scheme, similar to the meet-in-ibe-middle attack described above, 
with not much larger computational requirements. 

The Attack 

Our attack has two phases: a precomputation phase, which can be done once and used against ail messages; and 

37 

a stage tailored to the individual message. The requirements: for the precomputation stage, 2 enciphernients and 
2 36 storage; for the individual message, 2 35 enciphernients and 2 32 storage. There are modest trade-offs available. 

The message format is as follows. We select most of the message (say blocks M x g through M n ) to be the text of 
that bogus message which we are trying to authenticate. Blocks Af; and M 2 ^ chosen (by a meet-in-the-middle step) 
to put ourselves into a standardized position. Finally, blocks A/j, M^, . . . , A/ lg are chosen, from among possibilities 
enumerated during the precomputation, to "meet in the middle" one last time. 

During the precomputation, we select an arbitrary 64-bit quantity Z, which is going be the value of 
H 2 , H4, Hfr ... , and H^. We select 2 36 trial values X, compute the values E%(Z), and sort and store these values. 
Now select 2" trial values Y, compute the values Dy(Z), and compare each against the values E%{Z). Record each 
match: E^Z) =- Dy(Z). We expect to find about 256 such pairs {(Xj, Yj), 1 < / < 256!; if not, examine a few more 
values of Y. Each such pair (Xj, Yj) can be used as a message pair (A/ 3 , A/ 4 ), (.¥ 5 , M^i, or ( W 17 , in the 

sense that if we have H 2 = Z, Mj- X t , M 4 - Yj, then we get H 4 = Z. 

Given a message M' — (A/^o, M20 ■ ■■ , M„), an RSA-signature of some pair (H 0 , H2,,), the chosen value of Z and 
the 256 pairs (X,, Yj) gotten during precomputation, our task is to select values of M lt M 2 , ■■■ , A/ 1S which will make 
(% H2,,) a valid hash of M - (M { , M 2 , ... , M„). 

33 32 

First we find values of M x and M 2 such that E Mi (H 0 ) = D M (Z)\ this takes 2 enciphernients and 2 storage. 

We know that H 2 = Z, so as long as the pairs (Af 3 , M 4 ) (M xl , M i 8 ) are chosen from our list (Xj, Yj), we will have 

H A = H 6 = ■■■ = if 18 = Z. Assuming H ls - Z, use the values A/ 19 through M„ to compute the value H„; with the 



16 



values My and Mj we can then get the value of H n+2 - Working backwards from H 2 „, using the values 
M n , M n _ i M jg, we find the value of H n+ ]s . 

Now we use the preconiputed pairs (Xj-, Y f ). For each of 256 4 = 2 32 choices of four pairs (Xj, i;) to be the values 
o((M 3 ,M 4 ), (M 5 ,M 6 ), (Af 7 ,M s ), (M 9 ,M 10 ), compute the value of H n+l0 that would result. (The efficient way 
to do this is to run through the pairs lexicographically, so as not to recompute Ex(Hn+l) f° r eacn °' ^ occurrences.) 
Sort and store these trial values of H n+10 . Similarly, select pairs to be the values of (Afji, A/] 2 ), (Afj3, Mta). 
(K15, Aftg), (M11, M ls ), compute backwards from #„+i8 to get trial values of H, i+ -[q- Compare against the 
stored trial values. We expect one match, and the corresponding values of through M lg finish our task. 

Extensions 

The Davies-Price scheme could be altered by running through the message three times instead of twice. This at- 
tack will still work, at the expense of a large increase in the number of "constrained" message blocks (the message 
blocks chosen by the algorithm, rather than selected by the user). 

Another possible scheme would be to set up two initializing vectors. 

Hq, H'q - random 

H' i -E M {H' i _ x \ \<i<n 
RSA-Si S a(H 0 ,H l „H' 0 ,fi'„). 

Minor modifications to the present attack allow this scheme to be broken as well. Namely, do the same precomputa- 
tion as before, and compute Afj, M 2 as before. Work forwards to find H H _i, 111611 us 6 a meet-in-the-middle step to 
discover values M„_ 2, M„ which satisfy the requirement on H„. Then the values M 3 through M t8 can be selected as 
before (from the pairs (X,, Y$) to satisfy the requirements on if „. 

A word about "constrained" message blocks: since we only need to examine 2 36 < 23 8 values X in the precom- 
putation, we can select them to be EBCDIC representations of alphanumeric characters, so that even the "con- 
strained" message blocks needn't look like total nonsense. In fact, at the risk of increasing the number of such blocks, 
we can increase their plausibility, to the point of having a set English text, with the freedom of choice made by sub- 
stitution of synonyms. [DP] 

Trade-offs 

The presentation here tried to minimize computation time. There are two trade-offs available, which increase the 
computation time but decrease (1) storage and (2) length of constrained message, respectively. 

When running a meet-in-the-middle attack, we work forward with / values, sort and store the outcomes; work 

backwards with K values, and compare against the J values stored. We are likely to succeed if IK > N, where N is the 
64 

size of the space (in our case 2 ). Thus we trade off storage of / against computation time of K , subject to 
K > J. JK > N. 



17 



In the present attack, we had 18 blocks of constrained message. This can be decreased if we are willing to spend 

41 40 

more time m precomputation. A precomputation of 2 encipherments and 2 temporary storage would allow us to 

recover 2 16 - 65536 pairs (X jt Yj), and with that larger selection we would need to add only ten constrained message 

blocks: two at the beginning as before, and four pairs M^), ... M 10 ) to allow the last meet-in-the-middle 
4 64 

step to go through (65536 = 2 = N.) 

References 

[Den] D.E. Denning, Protecting public keys and signature keys, IEEE Computer, 1983, 16(2):27. 

[DP] D.W. Davies and W.L. Price, "The Application of Digital Signatures based on Public Key Cryptosystems," 
NPL Report DNACS 39/80, National Physical. Laboratory, Teddington, Middlesex, England, Dec. 1980. 

[Rab] M. Rabin, Digital Signatures, in "Foundations of Secure Computation," Academic Press, New York, 1978. 

[RSA] R.L. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key 
Cryptosystems," Comm. ACM, vol. 21, no. 2, Feb. 1978, pp. 120-126. 



ATTACKS ON SOME RSA SIGNATURES 



Wiebren de Jonge and David Chaum 

department of Mathematics and Computer Science 

Vrrje Universiteit P.O. Box 7161 

1007 MC Amsterdam The Netherlands 

2 Centre for Mathematics and Computer Science 
Kruislaan 413 

1098 SJ Amsterdam The Netherlands 



ABSTRACT 



Two simple redundancy schemes are shown to be inadequate in securing RSA signatures 
against attacks based on multiplicative properties. The schemes generalize the requirement that 
each valid message starts or ends with a fixed number of zero bits. Even though only messages 
with proper redundancy are signed, forgers are able to construct signatures on messages of their 
choice. 



1. INTRODUCTION 



The basic notions of redundancy in signatures and multiplicative attacks are introduced for 
completeness in this introductory section, along with an example which is used in subsequent sec- 
tions. Next the two redundancy schemes are presented briefly. An algorithm is then described 
and used to construct attacks on the two schemes. Finally, a second kind of attack is presented 
which also compromises the two redundancy schemes. 



1.1. THE NEED FOR REDUNDANCY 



RSA used in its raw form does not protect against a forger choosing an integer S c with 
0 < S c < riA, and computing M c = (S c f A mod n A from it, where n A and e A axe As public 
modulus and exponent in an RSA system. Subsequently, the forger could claim that S c is the 
signature on M c . Since exponentiation modulo n acts as a kind of one-way function when <p(n) is 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 18-27, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



19 



unknown, this chosen signature attack can be used for finding signatures on "random" (i.e., 
unpredictable) messages only. Thus, it may be said that only the signer can form signatures on 
chosen messages, but anybody can determine which message corresponds to a chosen signature. 

To prevent these unpredictable messages from having a reasonable chance of being 
accepted, redundancy will be required in signed messages. Hence, a distinction will be made 
between messages and valid messages: all numbers M with 0 «S M < n are messages, but only a 
very small fraction of these will be valid messages. For instance, if 100 bits of redundancy are 
used, a chosen signature will have only a chance of 2 ~ 100 of corresponding to a valid message. 
Thus, finding a false signature (i.e., a signature on a valid message not actually signed by A) will 
cost 2 99 trials on the average, which makes it infeasible to successfully guess a signature. 

Some work has been based on the assumption that the signer would sign anything except 
some desired messages. ([DeMillo & Merritt 82] and [Denning 83] independently generalized and 
extended [Davida 82].) Under these assumptions, attackers were able to obtain signatures on 
desired messages simply by combining signatures on apparently unrelated messages. The seem- 
ingly more realistic and practical model assumed here, that the signer is only willing to sign valid 
messages, makes attacks more difficult — though not impossible — as will be shown. 

1.2. MULTIPLICATIVE ATTACKS 

Preventing chosen signature attacks not only requires a sufficient quantity of redundancy in 
valid messages; it also necessitates that the nature of the redundancy is appropriate, since RSA 
signatures are multiplicative. 

For example, suppose that B can construct three valid messages M\, M 2 and M3 such that 
M3 = (M 1-M2) mod n A . Then, if B succeeds in getting M\ and signed by A, B can form 
the product (modulo n A ) of these signatures to get a false signature on M3, denoted S A (M), since 

Sa(M 3 ) = (M v M 2 ) dA modn A 

= ((A/f* mod n A ) ■ (Afj* mod n A J) mod n A 

= (S A (Mi)- S A (M 2 )) mod n A . 

B can also use the inverse A/" 1 or the opposite — M of a message M, assuming the 
corresponding signed version is known, as a factor in a product forming a new message, since 
S A (M" ] mod n A ) = (S A (M))~ l mod n A and S A (-M) = - S A (M). (Notice that d A is odd.) 

Thus, if B knows A's signature on one or more valid messages Af,-, B can easily forge signa- 
tures for valid messages that B can rewrite as a product of messages) A/,, their opposite(s) — Af,, 



20 



or their inverses) Mf 1 (all in modulo n A arithmetic). Note also that a message and/ or its oppo- 
site and/or its inverse may occur in a product more than once. Therefore, the redundancy 
should make it infeasible to find such valid messages. 

1.3. EXAMPLE CRYPTOSYSTEM 

Rivest, Shamir and Adleman recommended that n be about 200 decimal digits, which 
amounts to about 664 bits [RSA 78]. We will use a particular example of an RSA system for 
illustrative purposes, in which n is 800 bits, thereby maintaining an ample margin of safety with 
respect to known factorization techniques for appropriate moduli. The amount of redundancy 
used in the examples will be 200 bits. One reason for this choice of amount of redundancy is to 
provide for sufficient protection against a chosen signature attack Another is for efficiency, since 
one does not want to expand the messages to be signed too much, say, not more than one third. 
Since, for our choice of n, RSA limi ts signed messages to 800 bits, the redundancy should 
amount to at most 200 bits. As a consequence, only a fraction of 2 ~ 200 of all 800-bit messages 
are valid, and thus the original message to be signed, called the actual message, may comprise 600 
bits. 

An important assumption is that every bit pattern of 600 bits represents a meaningful mes- 
sage; the only redundancy is that explicitly included in the remaining 200 bits. 

2. THE TWO REDUNDANCY SCHEMES 

In the first redundancy scheme the redundant bits are combined with the actual message by 
multiplying that message with an agreed on constant w. That is, all messages M for which 
M mod w = 0 are defined to be valid. The actual message present in such a valid message is 
m = M div w. For w = 2 200 , this means that each valid message ends up with 200 zero bits. 

In analogy to the special case where w is a power of two, the general scheme will be called 
the right-padded redundancy scheme. Figure 1 shows how the right-padded redundancy scheme 
spreads the valid messages over the interval [0,n] for n =91 and w =6. 

) 1 1 1 1 1 1 1 1 1 1 f — — I 1 1 H~j 

0 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 K=CM 

Fig. 1. The valid messages in case of right-padded 
redundancy for n =91 and w =6. 
The valid messages are 0, 6, 12, 90. 
The actual messages are 0, 1, 2 15. 



21 



The counterpart of spreading valid messages over the interval [0,n] is to concentrate them 
in some interval [/, u ] of appropriate size. The actual message contained in a valid message M 
then is m = M—l. For / =0 and u =2 600 — 1, each valid message starts with a sequence of 200 
zero bits. Accordingly, we call the general case of this scheme left-padded redundancy. Figure 2 
illustrates the left-padded redundancy scheme for n = 91, / = 19 and u = 34. 

3. A FIRST KIND OF ATTACK 

Before treating our attacks in detail, we mention briefly an algorithm that will be used 
heavily. 

3.1. A VARIATION OF EUCLID'S ALGORITHM 

The algorithm finds, for a given x with 0 < x < n, the smallest positive value c such that 
(cx) mod n is less than some given threshold value t. It is very s imil ar to Euclid's algorithm for 
computing the greatest common divisor. Indeed, Euclid's algorithm can be used to compute an 
increasing sequence of values c for which the corresponding values (cx) mod n form a decreasing 
sequence. The only important difference is that processing with our algorithm stops as soon as a 
value below the given threshold is reached. Since Euclid's algori thm has a worst case (and aver- 
age case) complexity of 0(log n) [Knuth 69], our algorithm will certainly be fast (enough) too. 

For our purposes, it is often important that the value found for c is reasonably small. 
Although our algorithm can be used to find for any given values x and t the smallest c for which 
(cx) mod n *S r, there is no guarantee that c itself is smaller than some other threshold value. 
However, it is easy to show that there always exists some c with 0 < \c\ < n ft for which 
0 < (cx) mod n s£ t. 

Consider the integers /a/ and /b/ such that (ax — b) mod n with 0 < a =S \n / 1] and 
0 ^ b t. Since there are more than n different pairs (a, b), there exist two different pairs, say, 
(a\,b\) and (aifij), for which (a\x — b\) mod n = (a 2 x - b{) mod n. Since x usually will be 
co-prime with n (if not, one could factor «), we know that both a^ai and b\^bi- Therefore, 
we may safely assume that b\ > 62- Thus, for c = (a x —a 2 ) it is true that 0 < \c\ <n / 1 and 

| E^^jj 

0 19 34 

Fig. 2. The valid messages with left-padded 

redundancy for n = 91, / — 19 and u — 34. 
The valid messages are 19, 20, 21, 34. 
The actual messages are 0, 1, 2, 15. 



71=91 



22 



0 < (cx) mod n = (b\ —b 2 ) < t. 

Since our algorithm searches for the smallest positive value c for which (cx) mod n < /, the 
value found for c may be larger than n / 1. If so, the above shows that there exists some c, 
0 < c < n / /, such that 0 (— cx) mod n *S t. This c can be found by applying our algo- 
rithm to (— x) mod n. 

3.3. ATTACKING RIGHT-PADDED REDUNDANCY 

If RSA is used in combination with the right-padded redundancy scheme, one attack 
proceeds as follows. First, choose an actual message «| (i.e., rrt\ < n A div w) on which ^'s sig- 
nature is desired. An attack, such as this, allowing a signature to be constructed for a chosen 
actual message will be called a chosen message attack. Now, M\ = m \ w is a valid message, since 
M\ < n A and M } mod w — 0. Next, compute x — (m]w)"' mod n A . If w < rc 1/2 , i.e., if 
the redundancy takes up less than half of the bits in a valid message, our algorithm of Figure 3 
can be used to find a number 0 < c < n A div w such that (cx) mod n A < n A div w or 
(—cx) mod n A < div w. Thus, one can find two actual messages m 2 and m 3 such that 
)«2 = (m 3 x) mod or m 2 = ( — m 3 x) mod rc^. 

If one succeeds in getting A's signature on m 2 and m 3 (i.e., S A (M 2 ) and S^Afj)), one can 
compute A's signature on m \ by multiplying S A (M}) with the inverse of S A (M 2 ) and taking the 
opposite in the case we used —x. Naturally, all arithmetic is done modulo n A . In case we used 
just x, this works, because 

S/l(Mi) = S A ((x~ l ■ (m 3 w) • (m 3 w) _I ) mod n A ) 

= ( S A (m 3 w) - S A ((m 3 xw)~ 1 )) mod n A 

= ( S A (M 3 ) ■ (S A (M 2 )r l ) mod n A ; 
in case — x, we have 

S A (M X ) = ( S A (Mi) ■ (-S A (M 2 )r l ) mod n A . 

Of course, the attack makes sense only when m\=£m 2 and m^m-j. But if the found m 2 
or m 3 happens to be equal to m 1 , one simply searches for another value of c such that 
(cx) mod n «S t or (— cx) mod n t. For example, one tries the next minimal value of 
(cx) mod n or ( — cx) mod n, respectively. 



23 



3.4. ATTACKING LEFT-PADDED REDUNDANCY 

RSA's multiplicative properties are also useful for attacking the RSA signature system when 
left-padded redundancy is used. Recall that this scheme defines valid messages as those in the 
interval [/,«]. 

As a first step it will be shown why, in the general case, / should be larger than u 1 / 2 , and 
thus in our example should be larger than 2 300 . If / would be smaller than u 1 / 2 , then any two 
valid messages M t (i = 1,2) out of [/,w 1/2 ] have a product, say Af 3 , which lies in the interval 
[/,u]. This makes a multiplicative attack far too easy. Thus, the left-padded redundancy scheme 
should certainly not be used with / =0; i.e., just requiring each valid message to start with a cer- 
tain number of zero-bits immediately appears to be unsuitable. 

For l>u lj/1 there is a chosen message attack. Suppose that M is the valid message on 
which a false signature is desired. First, the attack will be shown for M < u—l, and later it will 
be extended for the more likely case that M > u—l. 

Due to the large number of wrap-arounds, the number {l-M) mod n may be positioned any- 
where in the interval [0,«]. Therefore, the chance that l-M mod n lies in the interval [l,u ] is 
negligibly small. (About 2" 200 in the example.) However, it is easy to find a positive integer i 
such that (/ +i)M mod n is in [/,«]. 

For example, suppose we have the situation as depicted in Figure 3, where IM mod n is 
positioned somewhere to the right of [/,«]. Clearly, (/ + \)M mod n lies a (relatively small) step 
of size M to the right of l-M mod n, (I + 2)M mod n lies another such step further to the right, 
and so on. Thus, it is easy to compute i, the number of steps to the right needed to end up in 
the "next" interval [/,«]. Since M is supposed to be less than u—l, the step size is small enough 
to prevent the interval from being missed by jumping too far. 

Thus, if 1+i happens to be in [l,u], we have found three valid messages M,- (i = 1,2,3) with 
M\ = I +/', M 2 — M and Af 3 = (/ +i)M mod n for which M 3 = {M\M-i) mod n. Thus, a 
false signature on M can be constructed from the signatures on M\ and M 3 . 

To be sure that 1 + i indeed will be in [l,u], i.e., that i =S s = u — I, the step size should be 
large enough, i.e., M > n / s. Because of our assumption that M *S, s = u—l, and the interval 
size s should be larger than n / s. Therefore, this attack works for all chosen messages M with 

0 mod n M M 0 mod n r 

-I 1 i i i [ ) i t i] i n r~ i [ i i i i i i i | i i i i i i > ( i i < — j— 

l u IM mod n I u 

Fig. 3. An illustration of the basic idea of the attack. 
Note that this figure is not drawn to scale! 



24 



h /s < A/ < j if j 5* n 1 /2 , i.e., if the redundancy takes up less than half of the bits in a valid 
message. 

If M > s = u—l, there is no guarantee that a "walk" to the right with steps of size M will 
end up in the "next" interval [I,u]. For example, if u - 1 = 2 600 and if M « 2 700 then the 
chance to hit the next first interval [l,u] on a walk to the right is only about T~ 100 . 

However, as explained in §3.1, it is easy to rind a value c for which \c\ < n / s and 
cM mod n < s. Starting with x =1 or x =u, one can use this new value cM mod n as the step 
size (to the right or to the left) and can compute for which integer i the number (x +ic)M mod n 
will be in the interval [l,u]. Since we want x +ic to be a valid message, the product ic should be 
less than s. Assuming that each number less than s had equal probability of being the chosen 
step size cM mod n, the chance that the step size is, for a given p, larger than s /p is 1 — 1 /p. 
With a step size larger than s / p, i will be less than (np) / s. Thus, ic will then be less than 
(n 2 p) / s 2 . This upper bound on ic should be kept smaller than s, therefore, s should be such 
that s 3 > (n 2 p). In other words, the chance of success is very large roughly when the redun- 
dancy is less than one third of the bits in a valid message. 

Consider our example with f=2 700 . The number c for which cM mod n < 2 600 or 
(— cM) mod n < 2 600 will be less than 2 200 . There is a high probability that the new step size, 
cM mod n or (— cM) mod n, will be larger than, say, 2 500 . This means that the required number 
of steps, i, almost certainly will be less than 2 300 . In our example, ic thus may be expected to be 
less than 2 500 . This means that we could have started with almost any x in [l,u]. 



4. A SECOND STYLE OF ATTACK 

Another kind of attack is based on an approach called Multiplying-In-Dividing-Out 
(MIDO). It is used below to break the same two redundancy schemes. 



4.1. RIGHT-PADDED REDUNDANCY AGAIN 

Suppose that the actual message m on which a false signature is desired, can be written as 
the product of two numbers a\ and a 2- Thus, M — mw = a l a 1 w < n. Now choose numbers 
b\ and 62 such that M \ — a]b\w < n, A/2 = 02^2^ < n , sud — 6162 11 ' < " ( e -g-> 
choose any b j and bj with b] < ai and 62 < a 1 )• Clearly, the three messages M \ , Mi and 
Mi M 2 

A/ 3 are all valid, and M = (hence the name MIDO). Thus, if one succeeds in getting 

A/3 

A's signature on the valid messages A/j {i = 1,2,3), one can also construct a false signature on the 
chosen message M. 

One difference with the attack of §3.3 is that this MIDO attack works for any amount of 
redundancy. On the other hand, this MIDO attack will not work for all chosen messages m, 
since it may be infeasible or even impossible to factor the integer m. Of course, one could mani- 



25 



pulate chosen factors to construct an appropriate actual message m, but this does not change the 
fact that there is only limited freedom in choosing m. 

4.2. LEFT-PADDED REDUNDANCY REVISITED 

The following method illustrates how the MIDO approach can be used for attacking left- 
padded redundancy. It works for all valid messages M that can be written as a product a \a 2 
with a i > a 2 > 2, such that a\j^a 2 + l and either (a) M — I > a 2 and u —M > a t or (b) 
M —I > a i and u—M > a 2 . 

In case condition (a) holds, take 

M\ — (a 1 — 1)^2 = M — a 2 , 
Mi — « i (a 2 + 1) = M + a\, 
and A/3 = (ai — 1)(<22 + ') = A/ + a 1 — a 2 — 1. 

Thus, M ' — - — , while condition (a) assures that all three messages M, (1 = 1,2,3) are valid. 

The condition <X\^a 2 4-1 assures that M^M. For the case that condition (b) is true, a\ and 
a 2 should be exchanged in the above description. Figure 4 illustrates how M\, M 2 and M 3 are 
positioned in [/,«] if condition (a) holds. 

Clearly, the chance of success with this method depends on the size and placement of the 
interval [l,u], and thus on the amount of redundancy. Furthermore, this method does not work 
for all chosen messages. However, it is easy to adapt this attack to work for almost any chosen 
valid message M. The only restriction will be that M should not be chosen too close to I or u. 
Such a restriction is not very severe, since, for example, u — M and M — I are both larger than 
2~ w (u — /) for 99.8 percent of all valid messages. 

Once M is chosen, one searches for "factors" a \ and a 2 such that M = (a\a 2 ) m °d 
(The important difference with the attack above is the addition of "mod n".) This can easily be 
accomplished by freely choosing one factor, say a \ , and then computing the other factor, a 2 , as 
(of 'AO mod n. Having fixed a\ and a 2 one computes the numbers c\ and c 2 with 
|ci| < 2n /(« —Af) and |c 2 | < 2n / (M -I) such that (c,^) mod n < (u -M)/2 and 
(c 2 a 2 ) m °d n < (M — [) / 2. In the following, we only treat the case that both c\ and c 2 are 
positive. Take 

[ nT^i — 3 

l Af 1 MM, M 2 u 



Fig. 4. 



26 



M\ = a 2 (<2] —C2) mod n = M — (cj^i mod n) 
Mi = a\(a2 mod n = M + (c\a\ mod n) 
and M3 = {a\ — £2X^2 + c i) m °d w = (M + ciiii — ^2^2 — mod n. 

Thus, M 1 and A/ 2 are valid messages. Define z to be the minimum of u — M and A/ — /. M 3 is 
also a valid message if is appropriately small, i.e., if c\Ci is less than z /2. (See Figure 5 
for an illustration.) Since C\C 2 is known to be less than 4n 2 / z 1 , this product is certainly 
smaller than z/2if8n 2 <z 3 . Thus, the attack works essentially when the redundancy amounts 
to less than one third of a valid message. 

In our example, both u—M and M —I are numbers of almost 600 bits. Therefore, c \ and 
C2 may be expected to be numbers of a good 200 bits. Thus, their product may be estimated to 
be a number of something like 400 bits, which usually will be negligibly small compared to Ms 
distance to / and u. As a consequence, the chance that M3 is not in the interval [!,u] is negligibly 
small. 




Fig. 5. 



CONCLUDING REMARKS 

The attacks presented use signatures obtained on messages having a redundancy property 
that are chosen to allow derivation of false signatures on other messages also having the redun- 
dancy property. The attacks are quite powerful, since they allow the derived message to be 
chosen freely or almost freely. 

One obvious way to protect against attacks such as those shown here in practice, which has 
been known in the "folklore" of cryptography for some time, is to apply some sort of one-way 
function to actual messages before signing them. This approach can be quite practical for long 
messages. But for short messages, it may have the disadvantage of data expansion and may be 
unnecessarily computationally expensive. 

There are of course signature schemes that do not appear to have the kinds of multiplica- 
tive structures used in the attacks presented here. These schemes generally have received less 
attention than RSA and most of those currently unbroken appear more expensive than RSA in 
various ways. An interesting and potentially attractive variation on RSA signatures, however, 
came out of this work [de Jonge 85]. 

Multiplicative properties of RSA and its variants should not necessarily be regarded as 
undesirable shortcomings to be avoided in improved systems, however, since they allow various 



27 



powerful and often desirable functionality, such as blind signatures [Chaum 85], Motivation for 
embarking on this line of inquiry in fact came from consideration of the needs for secure blind 
signature systems. In such systems, any message may be signed; only messages with the redun- 
dancy property are accepted; and the primary security requirement, called conservation of signa- 
tures, is that it should not be possible to construct more signatures than are issued. Thus such 
systems do require redundancy properties robust in the presence of multiplicauvity. The simple 
schemes considered here demonstrate that such redundancy properties must be chosen with care. 

ACKNOWLEDGEMENTS 

We are grateful to Evert Wattel and Jan-Hendrik Evertse for some stimulating discussions. 

REFERENCES 

(1) Chaum, D., "Security Without Identification: Transaction Systems to make Big Brother 
Obsolete," Communications of the ACM, Vol. 22, No. 10, October 1985, pp. 1030-1044. 

(2) Davida, G.I., "Chosen Signature Cryptanalysis of the RSA (MIT) Public Key Cryptosys- 
tem," Technical Report TR-CS-82-2, University of Wisconsin, Milwaukee WI, October 
1982. 

(3) de Jonge, W., "Attacks on RSA Signatures and Countenneasures," in Security and Privacy 
in Information Systems: some technical aspects, Ph.D. Thesis, June 1985. 

(4) DeMillo, RA. and Merritt, M.J., "Chosen Signature Cryptanalysis of Public Key Cryp- 
tosystems," Technical Memorandum, School of Information and Computer Science, Geor- 
gia Institute of Technology, Atlanta GA, October 25, 1982. 

(5) Denning, D.E., "The Many-Time Pad: Theme and Variations" Proceedings of the 1983 
Symposium on Security and Privacy, April 25-27, 1983; the relevant part also appeared as 
"Digital Signatures with RSA and Other Public-Key Cryptosystems," Communications of 
the ACM, Vol. 27, No. 4, April 1984, pp. 388-392. 

(6) Knuth, D.E., The art of computer programming, Volume 2, Seminumerical Algorithms, 
Addison-Wesley, 1969. 

(7) Rivest, R.L., Shamir, A., and Adleman, L., "A Method for Obtaining Digital Signatures 
and Public-Key Cryptosystems," Communications of the ACM, Vol. 21, No. 2, February 
1978, pp. 120-126. 



AN ATTACK ON A SIGNATURE SCHEME , 
PROPOSED BY OKAMOTO AND SHIRAISHI 



Ernest F. Brlckell 

Bell Communications Research 

Morristown, NJ 07960 

and 

John H. DeLaurentis 

Sandia National Laboratories 

Albuquerque, NM 87185 

Abstract 

Recently Okamoto and Shiraishi proposed a public key authentica- 
tion system [1]. The security of the scheme is based on the diffi- 
culty of solving quadratic Inequalities. This new system is inter- 
esting since the amount of computing needed for the proposed scheme is 
significantly less than that needed for an RSA encryption. 

This report is an investigation into the security of the proposed 
digital signature scheme. We demonstrate that if the system is used 
as it is presented, an opponent could sign messages without factoring 
the modulus. Further, we suggest a modification which may not have 
the same flaw as the proposed scheme. 

Introduction 

Prior to the publication of this authentication system, Ong, 
Schnorr, and Shamir presented a public key signature scheme [2] which 
was based on the difficulty of solving a quadratic equation over the 
ring of integers modulo n (here n is the product of two large rational 
primes). Pollard produced a random polynomial time algorithm [3] 
which would allow an opponent to sign messages without knowing the 
secret key. In an attempt to overcome the weakness pointed out by 



* This work performed at Sandia National Laboratories supported by 
the U. S. Dept. of Energy under contract No. DE-AC04-76DP00789 . 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 28-32, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



29 



Pollard, a new version of the signature scheme was introduced [4]. 
This variant was based on the difficulty of solving a polynomial equa- 
tion over the quadratic integers. It has been shown that the new sys- 
tem is also insecure [5]. In fact, breaking the latest scheme can be 
"reduced" to the problem of solving the original quadratic equation. 

The digital signature scheme proposed by Okamoto and Shiraishi is 
similar to the ones proposed by Ong, Schnorr, and Shamir in that it is 
based on the difficulty of solving a quadratic expression. More pre- 
cisely, the signature s is considered to be valid for the message m if 
and only if 

(*) h(m) < s 2 (mod n) < h(m) + S , 5 = 0(n 2/3 ) 

and s is not "small in absolute value"; that is, r < s < n-Y, for a 

suitably chosen V. Here h(») is a "one-way" function and the modulus 
2 

n has the form n = p q, for large primes p,q. In this paper we will 
use the expression x(mod n) to denote the least nonnegative integer 
congruent to x mod n. The idea behind the authentication scheme is to 
force an opponent to compute an approximate square root for h(m) . 



Cryptanalysls of the Basic Scheme 

We show that an opponent can sign messages without knowing the 
factorization of n by using the following procedure: Choose x such 
that for some positive integers k, t and nonnegative integer c we have 

2kx = in + c 

where k = 0(n 1/12 ) and c = 0(n 1/6 ). (For example, let x = [x/2k1, 
k = 0(n 1/12 ), c = 0(n 1/6 ).) Next we calculate 

2 

y = (h(m) - x ) mod n , 
_2 

z = (k y) mod n 

z = f ^zl = + e / 

here [wl is the least integer which is greater than or equal to w. 
Finally we set 



30 



We sign the message m with s. To verify that s satisfies condition 
(*) notice that 

2 2 2 2 

s (mod n) = (x + 2kxa + k a ) mod n 

2 2 _ 2 

= (x +ca + k(z + 2 v '2£ + £)) mod n 

2 2 2 2 

=(x + ca + y + 2k ,/z e + k e ) mod n 

2 2 2 

= (h(m) t ca + !k /z t t k t ) mod n 

» h(m) + & 

2/3 

where 4 = 0(n ) as desired. 

This ensures that the signature s would be accepted as authentic. 

Crvptoanalysls of the Lower Bits Method 
Okamoto and Shiraishi proposed another signature scheme which 

2 

they call the lower bits method. In addition to the modulus n = p q 

and the one-way function h, they add e to the public key where e is an 
1/3 

integer and c = 0(n ) . s is considered a valid signature of m if 

2 

and only if for s' = (s - h(m) ) mod n and s' the least nonnegative 
residue, either 

s 1 =0 mod e 

or 

( n - s ' ) =0 mod e , 

and s is again not "small in absolute value." 

An opponent can forge messages if he can take square roots mod e, 
which he can do if he knows the factorization of s. To forge a signa- 
ture to m, pick x such that for some positive integers k, i and non- 
negative integer c 

2kx = jtn + c 

2 2 

where k e + ce < n. Next calculate 



x' 



= h(m) 



- x mod n 



31 



and a such that 0 < a < t and 

2 2 

k a + ca s x ' mod e 

Let s = x + ka. Then 

2 2 2 2 

s - h(m) = x + 2kxa + k a - h(m) mod n 

2 2 2 

= x - h(m) + k a +ca nod n 

2 

= x -h(m)+fe+x' nod n 
= fe mod n 

Since 

0 < h 2 a 2 + ca, x' < n 

then 

-n < fe < n 

Hence if s 1 = s 2 - h(m) mod n (i.e., s' is the least nonnegative 
residue) , then either 

s' = fe (if f > 0) 

or 

n - s' = -f £ (if f < 0) 

A Secure (?) Mo di fication 

Suppose that instead of signing messages with approximate square 

roots, the designer chose to sign messages with k th roots, i.e., s is 

k 

a signature for m whenever s = h(m) (mod n), k > 4. To be more pre- 
cise, the signature s is considered valid if the following inequality 
holds 

k 2/3 
(*«) h(m) < s (nod n) < h(m) + S , 6 = 0(n ) 

The legitimate user can sign messages in nearly the same fashion as in 
the original scheme. Pick a random x e z pg !z pq is the multiplicative 
group modulo pq) . Compute s as follows 



32 



s = x + ypq 

where 

k-1 -1 

y = w ( kx ) ( mod p ) 

and 

w = r(h(m) - x (mod n))/(pq)l 

It can be shown that s satisfies (**). We do not know if the modified 
scheme possesses the same flaw as the original system. However, in 
view of the demonstrated weakness of the Okamoto-Shiraishi quadratic 
inequality scheme and the unsuccessful attempts made by Ong, Schnorr 
and Shamir, the security of the modified system is highly question- 
able. 



References 

[1] T. Okamoto, A. Shiraishi , "A Fast Signature Scheme Based on Qua- 
dratic Inequalities," Proc. of the 1985 Symposium on Security and 
Privacy, April 1985, Oakland, CA. 

[2] H. Ong, C. P. Schnorr, and A. Shamir, "An Efficient Signature 

Scheme Based on Quadratic Equations," Proc. 16th ACM Svmp. Theor. 
Computing (1984), 208-216. ~ • 

2 2 

[3] J. M. Pollard, "Solution of x - kY = m(aiod n)," Private commun- 
ication with C. P. Schnorr, June 29, 1934. 

[4] H. Ong, C. P. Schnorr, and A. Shamir, "Efficient Signature 

Schemes Based on Polynomial Equations , " to appear in Crypto ' 84 , 
Lecture Notes in Computer Science , Springer-Verlag, KY (1984). 

[5] D. Estes, L. Adleman, K. Kompella, K. McCurley, 6 . Miller, 

"Breaking the Ong-Schnorr-Shamir Signature Scheme for Quadratic 
Number Fields," to appear. 



A SECURE SUBLIMINAL CHANNEL (?)* 



Gustavus J. Simmons 
Sandia National Laboratories 
Applied Mathematics Department 
Albuquerque, New Mexico 87185 

Introduction 

At Crypto'83, the present author showed that a transmitter and chosen 
receiver(s) by secretly exchanging some side information — could pervert an 
authentication without secrecy channel to allow them to convert a portion of the 
authentication information to a hidden (covert) coaimuni cat ions channel [1]. It was 
also shown that under quite reasonable conditions even the detection of the exis- 
tence of this covert channel could be made as difficult as the underlying authenti- 
cation algorithm was "cryptosecure" . In view of this open — but indetectable — 
existence, such a covert channel was called a "subliminal" channel. The examples 
constructed in [1] were more in the nature of existence proofs than of practical 
subliminal communications channels. At Eurocrypt'8 1 ) [2], however, it was shown how 
to use digital signature schemes as a way of realizing practical subliminal channels 
and, in particular, subliminal channels were devised using Ong and Schnorr's qua- 
dratic approximation scheme [3], Ong, Schnorr and Shamir's quadratic representation 
schemes [t] and Ong, Schnorr and Shamir's cubic signature scheme [5] as well as 
Gamal's discrete logarithm-based digital signature scheme [6]. Unfortunately, from 
the standpoint of providing a secure (and feasible) subliminal channel, all of these 
digital signature schemes were cryptanalyzed [7,8] shortly after being proposed. At 
Crypto'8 1 !, a fourth variant to the earlier digital signature schemes of Ong, Schnorr 
and Shamir was presented by Schnorr [9] which was also quickly cryptanalyzed [10]. 
At the 1985 IEEE Symposium on Security and Privacy, Okamoto and Shiraishi proposed 
yet another digital signature scheme based on quadratic inequalities [11] which had 
been designed to avoid the cryptanalyti c weaknesses that had flawed the schemes of 
Schnorr, et al . The cryptanalysis of this scheme by Brickell and DeLaurentis is 
reported elsewhere in these Proceedings [12]. In view of the short-lived nature of 
all of these schemes, it has become a high risk venture to propose subliminal chan- 
nels based on digital signatures. The motivation for doing so is that digital sig- 
natures can be much easier to calculate and verify than full-fledged two-key 
ciphers. As a result, the benefits (of a successful implementation) far outweigh 

* This work performed at Sandia National Laboratories supported by the U.S. 
Department of Energy under contract no. DE-AC01-76DP00789 . 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 33-41, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



34 



the risks of perhaps having an insecure digital signature (or subliminal) channel 
slip by undetected. Based on the cumulative experience gained in cryptanalyzing the 
six digital signature schemes mentioned above, Brickell and DeLaurentis propose a 
new scheme in their paper that appears to avoid the weaknesses exploited in the 
earlier cryptanalyses . 

It is an easy matter to adapt the Brickell-DeLaurentis digital signature scheme 
to accommodate a subliminal channel, however the resulting channel has a protocol 
weakness, common to all of the subliminal channels thus far devised, that we wish to 
avoid. In this paper we first point out the nature of this weakness and then pro- 
pose a modified form of the Brickell-DeLaurentis digital signature scheme in which a 
subliminal channel can be embedded — free of the protocol weakness. 

The Protocol Weakness (Problem) 

The problem is that in all subliminal channels devised thus far, the subliminal 
receiver — by virtue of the side information that must be given to him by the 
transmitter to enable him to recover the subliminal communications -- is in a 
priviledged position to impersonate the transmitter. In other words, the trans- 
mitter and subliminal receiver have to be mutually trusting and trustworthy parties. 
There are, of course, some applications in which this is the case, but in general 
the transmitter prefers that the ability to receive subliminal communications not be 
synonymous with an ability to forge indetectable signatures in his stead. Since the 
same protocol weakness runs through all of subliminal schemes, we illustrate it 
using the channel which we proposed at Eurocrypt 8 1 ) based on the Ong, Schnorr and 
Shamir quadratic representation digital signature scheme [2,4]. In the interest of 
both completeness and brevity we summarize the essential points in their scheme for 
the three steps: key generation, signature generation and signature verification. 

Key Generation 

1 . Tx chooses a composite n which is computationally infeasible to 
factor. The factorization of n is kept secret (if known). 

2. Tx chooses a random u, (u,n) = 1, and calculates k = -u (mod n) . 
u is kept secret. 

3. Tx publishes n and k as his authentication key. 



35 



Signature Generation 



Given a message ra, (m,n) 


= 1 , to be 


"signed" : 


1 . Tx chooses a random r 


, (r,n) - 1 


r is kept secret. 








S 1 


= 1 [- + r 


(mod n) 


S 2 


- 1 (f - r 


(mod n) 


3. The triple (m;s 1 , s 2 ) 


is transmitted as the "signed" message. 



Authentication of Signature 



1 . 


Rx receives (m; s^, s.,) 




2. 


Rx calculates 






_ 2 
a = s 1 


2 

+ k • (mod n) 


3. 


The message m is accepted 


as authentic if and only if 




a = m 





To set up the subliminal channel, in addition to the steps taken by the trans- 
mitter in the key generation procedure for the digital signature scheme, the trans- 
mitter secretly communicates u to the designated receiver, Rx*, for the subliminal 

channel. Now, when the transmitter wishes to send a signed message m through the 

* 

overt channel and a covert message m through the subliminal channel, where it is 
still desired that both the Rx* and third parties be able to verify the authenticity 
of the signature to m, the transmitter generates the signature as follows. 



Signature Generation for the Subliminal/Signature Channel 



Given a message m 
* 

(m , n) - 1 , to be 
1 . Tx calculates 


(m,n) = 1 , to be "signed" 
communicated subliminally : 


and 


* 

a message m , 




s = j I— + m J 
ID 


(mod 


n) 




S 2 = 2 L — 5T " ra J 
m 


(mod 


n) 


2. The triple (m 


s^, s^) is transmitted as 


the 


"signed" message. 



36 



Authentication of the signature by either the subliminal receiver, Rx , or by 
third parties is unaffected by the presence of the subliminal communication. The 
subliminal receiver, however, knowing u can solve for the subliminal message as 
follows : 

Decoding the Subliminal Message 

The subliminal Rx"^ , given (m; , s^) and knowing u, calculates 

m « 5 (mod n) 

S 1 + S 2 U_ 
* 

to recover the covert message m "hidden" by the Tx in the signature 
of m. 



Since the subliminal transmitter and receiver share the same piece of secret 
information, u, they are clearly interchangeable in terms of their capabilities. 
This is also true of the subliminal channel based on the Br ic k ell -DeLaurent 1 s 
digital signature scheme. In the next section, we show how to avoid this serious 
protocol failure in a subliminal channel embedded in a digital signature scheme 
similar to the one proposed by Brickell and DeLaurentis. 



The Secure Subliminal Channel (?) 

We borrow from Brickell and DeLaurentis the notion of basing the cryptosecurity 

of a digital signature on the difficulty of extracting approximate k th roots in Z , 

2 2 
n composite. While n - p q in their scheme, we require n - p qr for reasons that 

will become apparent later; p,q and r are all appropriately chosen primes p > q and 

q > r. Again, in the interest of brevity, we summarize the essential points 

involved in signing messages using the modified Brickell-DeLaurentis digital 

signature scheme. 



Key Generation 


1 . 


2 

Tx chooses three primes p > q > r sufficiently large that p q is 




computationally infeasible to factor, p, q and r are 


kept secret. 


2. 


2 

Tx publishes n = p qr as his authentication key. The 


receivers 




need to know (or calculate) a bound S = 0(n 2 '"). The 


Tx may 




choose to treat 6 as a redundant part of the key. 




3- 


Both the Tx and Rx(s) know a one-way hashing function 


on messages, 




h(m): m e Z , h(m) e and an exponent k > 4. 





37 



Signature Generation 

Given a message m, m c Z , to be "signed": 
n * * 

1 . Tx chooses a random x e Z (Z is the set of integers less 

pqr pqr 

than pqr and relatively prime to q, p and r). 
2. Tx first calculates the one-way hashing function h(m), and then 
calculates the signature s of m as follows: 



rh(m) - x (mod n) 
a > w = ^ — — — — 

pqr 

b. y = — ^-j- (mod p) 
kx 



c. s = x + ypqr 



3. The pair (m; s) is transmitted as the "signed" message. 



Authentication of Signature 

1 . Rx receives (m; s) . 

2. Rx calculates the hashing function h(m) . 

3. The message is accepted as authentic if and only if 

(1 ) h(m) £ s k (mod n) < h(m) + 6 



In the Appendix we show that an s (signature) generated according to this 
protocol satisfies (1). 

This modification of the Brickell-DeLaurentis scheme is at least as crypto- 
secure as their scheme. If these schemes turn out to be cryptosecure, this modifi- 
cation leads to the simplest subliminal channel yet devised. The transmitter 
secretly gives to the intended subliminal receiver(s) the prime r. Once this has 
been done, subliminal communication takes place as follows. 



Signature Generation for the Subliminal/Signature Channel 

Given a message m e Z^ to be "signed" and another message m e to 
be communicated subliminally : 

* k 

1 . Tx calculates s using m . He chooses a random u e Z and 

pq 

calculates 



which is used instead of a random x e Z to calculate s as 

pqr 

before, 



38 



Any receiver, including the subliminal receiver(s), Rx, can authenticate a 

t * 

message exactly as before, but in addition Rx can recover m . 

Decoding the Subliminal Message 

1. Rx\ given (m; s) and knowing r calculates 

* * * 

s = x + ypqr - m + ur + ypqr = m (mod r) 



On the other hand, since one needs to know pqr in order to sign messages, a 

2 2 
subliminal receiver — knowing only r and n = p qr — needs to factor p q in order 

to recover pqr. It thus appears that this subliminal channel is just as 

cryptosecure to a subliminal receiver attempting to impersonate the transmitter as 

the Brickell-DeLaurentis scheme is secure to an outsider attack. 

Incidentally, if the same message were signed repeatedly, using either this 

scheme or in the Brickell-DeLaurentis scheme, a random appearing set of signatures 

would result. 

Appendix 

As in the discussion of a secure subliminal channel, let the modulus n be of 
the form 

2 

n=pqr p>q>r all primes 

* 

and M e Z , s e Z . 

n n 



Theorem: 



(1) M £ s (mod n) < M + pqr 



if and only if 



(2) 



s - x + ypqr 



39 



(3) y = — j— (mod p) 

kx 



_ (M-x k (mod n)) 
pqr 



* 

whsre x e Z , y e Z and we Z . 

pqr P P 



Proof : 



First, assume that (1) holds. We show that (2), (35 and (1) follow. 
Given s £ Z n> s has a unique representation of the form 

s = x + ypqr 

where 

* 

x eZ and y e Z 

pqr p 

X and y are given by 

s E= x (mod pqr) 

and 

respectively. Now form 



k k k-1 2 2 2 

s = x * kx ypqr + p q r x (higher order terms) 



= + kx^ ^ypqr (mod n) 



Now since (1) was satisfied by hypothesis 



k k k+1 

M < s (mod n) = x + kx ypqr < Y. + pqr 



we have 



k ^ 

M - x (mod n) . , k-1 , M + pqr - x (mod n) 

< kx y < — 

per pqr 



40 



, k-1 rM - (mod n) - 
kx y - [ | - w 



pqr 
and 



w 

y - 



kx 



Next, assume that (2), (3) and (4) hold, then 



k k , k-1 2 2 2 ,„._, 

s = x + kx ypqr + p q r (HOT) 



k t< |<-i 

s = x + kx ypqr (mod n) 



Replacing y by y = — —. r we obtain, 
kx 



s — x + wpqr (mod n) 



and finally, 



k k M - (mod n) , , , 

s — x + pqr (mod n) 

pqr 



from which (1) is an easy consequence. 



References 



1. C. J. Simmons, "The Prisoners' Problem and the Subliminal Channel," Proceedings 
of Crypto'83, Santa Barbara, CA, Aug. 21-24, 1983, in Advances in Cryptology , 
Ed. by D. Chaum, Plenum Press, New York (1981), pp. 51-67. 

2. C. J. Simmons, "The Subliminal Channel and Digital Signatures," Proceedings of 
Eurocrypt 1 84 , to appear. 

3. H. Cng and C. P. Schnorr, "Signatures through Approximate Representations by 
Quadratic Forms," Proceedings of Crypto'83, Santa Barbara, CA, August 21-24, 
1983, to be published by Plenum Press. 

4. H. Ong, C. P. Schnorr and A. Shamir, "An Efficient Signature Scheme Based on 
Quadratic Equations," Proceedings of 16th Symposium on Theory of computing, 
Washington D.C., April 1984, to appear. 



5. C. P. Schnorr, "A Cubic OSS-Signature Scheme," private communication, May 1984. 



41 



6. T. El Gamal, "A New Public Key Cryptosystem and Signature Scheme Based on 
Discrete Logarithms," IEEE Transactions on Information Theory, to appear. 

7. J. M. Pollard, "Solution of x 2 - KX 2 = m(mod n)," Letter to Schnorr, 29/6/84. 

8. J. Shallit, "An Exposition of Pollard's Algorithm for Quadratic Congruences," 
Technical Report 84-006, Department of Computer Science, University of Chicago, 
Dec. 1981. 

9. H. Ong, C. P. Schnorr, and A. Shamir, "Efficient Signature Schemes Based on 
Polynomial Equations," to appear in Crypto'84, Lecture Notes in Computer 
Science, Springer-Verlag, NY. (1984). " 

10. D. Estes, L. Adleman, K. Kompella, K. McCurley, G. Miller, "Breaking the Ong- 
Schnorr-Shamir Signature Scheme for Quadratic Number Fields," to appear. 

11. T. Okamoto, A. Shiraishi, "A Fast Signature Scheme Based on Quadratic 
Inequalities," Proc. of the 1985 Symposium on Security and Privacy , April 1985, 
Oakland, CA. 



12. 



E. Brickell and J. DeLaurentis, "An Attack on a Signature Scheme Proposed by 
Okamoto and Shiraishi," these Proceedings. 



UNCONDITIONALLY SECURE AUTHENTICATION SCHEMES 
AND PRACTICAL AND THEORETICAL CONSEQUENCES 



Yvo Desmedt 1 

Dept. of Computer Science 2 , University of New Mexico 
Albuquerque, New Mexico, U.S.A. 

current address: 

Katholieke Universiteit Leuven, ESAT01 
Kardinaal Mercierlaan, 94, B-3030 Heverlee, Belgium 



Abstract 

The Vernam scheme protects the privacy unconditionally, but is completely insecure 
to protect the authenticity of a message. Schemes will be discussed in this paper that pro- 
tect the authenticity unconditionally. The definition of unconditional security is defined. 
Stream cipher authentication schemes are proposed. The consequences on information 
protection using RSA and DES are discussed. 

1. Introduction 

We will start here by looking how some authors discuss the protection of authenticity 
in a conventional cryptosystem. The definitions given for unconditional security will be 
overviewed. We will conclude that both subject matters are mostly presented oversim- 
plified. This will be explained by checking their definitions using the Vernam scheme 
(see Section 2). We will conclude that unconditionally authentication protection is not 
discussed. Hereto we define unconditional security from a point of view of authenticity 
and we also redefine the old definition of an unconditionally secure cryptosystem (see 
Section 3). We will then build up an unconditionally secure authentication system (see 
Section 4). The practical and theoretical consequences will be presented (see Section 5). 

Some authors, e.g., Denning [4], (pp. 10) pretend that Q in symmetric (conventional) 
cryptosystems . . . secrecy cannot be separated from authenticity" , and that "if users cannot 
access and D A , then both the secrecy and authenticity of A 's data is assured™ . However, 
today it is well-known that one can authenticate the message (and the sender) without 
protecting the privacy (of the whole message (see the previous last paragraph of Section 4.3 
and Section 6.1)). The NBS authentication method [11] (pp. 24) is an example of this. 
It is also known that some modes as e.g., the E.C.B. mode in DES, are insecure to 
protect the authenticity of a long message. As Diffie and Hellman [8] (pp. 646) said: "A 
cryptographic system intended to guarantee privacy will not, in general, prevent this latter 



*NFWO aangesteld navorser, is currently sponsored by the National Science Foundation of Belgium. 
2 This research was done while the author was Visiting Assistant Professor at the University of New Mexico. 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 42-55, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



43 



form of mischief" . One can conclude that Denning's ideas, earlier cited, are at least 
oversimplified. One can wonder if each cryptosystem which protects the privacy can also 
authenticate long messages if one uses modes (e.g. CFB or CBC). 

The term unconditionally secure is misleading. One can have the impression that 
it covers more. When, one says that the one-time pad cryptosystem is unconditionally 
secure, one can think that one can never attack the privacy or authenticity. The definition 
or use of unconditional security only deals today with privacy protection (see e.g. [4], [16], 
[17], [22]). As Simmons remarked in [22], Shannon's models [21] were only concerned with 
secrecy. One can wonder if a scheme which protects the privacy unconditionally does the 
same for the authenticity. 

We will now answer both questions by discussing the Vemam (or one-time pad) 
cryptosystem [21], [24]. 

Important remark 

If in the following sections we say that an intruder can inject a fraudulent message 
with a probability pi or that an active eavesdropper can modify a message with a proba- 
bility pi, we mean the following: in one on 1/pi respectively 1/pi cases the system used 
by the receiver will not automatically detect the injection respectively the modification. 
Automatically here means that the system uses a different way to detect modifications in 
the message than using the redundancy in the language. If the reader does not agree with 
this restriction we remark that the worst case is a message without redundancy. In order 
to be able to deal with such messages previous restriction is evident. 

2. The Vernam scheme and authentication 

As known, the Vernam scheme protects the privacy unconditionally [21]. Let us 
shortly explain how it works. Let M = (mi,ra2, . . . ,m„) be the plaintext message, where 
mi is the first bit of the message, «i2 the second, and so on. Then the ciphertext C = 
(si ,C2, . . . ,c„) is the bitwise exor of M and the key K, or c, = m, © The key K is 
really random and only used once. The decryption operation is similar: m,- = c,- ffi k,. 

It is now easy to understand that the probability to inject a fraudulent bit is 1/2 (see 
important remark in Section 1). If the active eavesdropper wants that the receiver receives 
a bit 1, he injects a bit (it does not matter if it is a zero or a one that he injects). Because 
the key bit is in one on two cases (in average) a 0 (and otherwise a 1), the receiver receives 
a 1 in one on two cases. One can remark that the effect of this attack is not important, 
because if one wants that the receiver accepts a concrete fraudulent message of 100 bits, 
the probability to succeed by injecting a message is only 1/2 100 . However, in some cases 
the damage caused by the injecting of one bit may be important. That one bit may tell 
you to delete or not to delete a file, to transfer the money or not. 

An even more serious attack is to modify the ciphertext. It is easy to understand that 
an active eavesdropper can modify a bit of the plaintext with a probability 1. Hereto he 
has only to complement the ciphertext bit. In the case the active eavesdropper does not 
know the plaintext, the effect of his action will probably be a not understandable message 
(sometimes called "garbage"). However, for terrorists that does not matter, it is enough 
to sabotage. If the active eavesdropper knows the plaintext, he can easily modify it as he 
wants (if the fraudulent message is not longer than the original one)! 



44 



1 bir 
register 



ciphertext 

:+) — y 



key 



binary 
message 



T 

key 



s — >4 



1 bit 
register 



Figure 1: The Vernam scheme used in a CBG mode 



We can conclude that the Vernam scheme can not protect the authenticity. A similar 
remark was made by Feistel [9] (pp. 19 - 20), without coming up with an unconditionally 
secure authentication scheme. However, one could remark that, to protect the authenticity 
of a message, one has to use a mode and some redundancy at the end of the message (e.g. 
64 zeros). In order to show that this does not help, we first suppose that the sender uses 
the CBC mode in feedforward and the receiver uses it in feedback (in order to have a 
large error propagation). The plaintext is followed by 64 zeros as authentic ator. Using 
the Vernam scheme for the encryption and decryption devices we obtain Figure 1. The 
active eavesdropper can modify each bit of the message as he wants, without affecting the 
authenticate! Suppose he wants to modify m,-. His attack is successful, if he complements 
bits e,- and c^+x (where c,- is the i th transmitted ciphertext bit). If the active eavesdropper 
wants to modify more bits, he has to superimpose previous attack. If the sender and 
receiver do not want to protect the privacy and use hereto a similar scheme as the NBS 
one [11], the attack is similar, because the Vernam scheme encrypts bit after bit (its block 
length is one bit). The reader can easily extend the attack for other modes as CFB and 
OFB (see [11]). 

We have shown that the Vernam scheme can not protect the authenticity. Schemes 
which protect the privacy do not necessarily protect the authenticity, even if some modes 
are used. This result can be extended to schemes which are similar (e.g. the Vignere 
scheme) . 

We will now try to come up with cryptosystems which protect the authenticity un- 
conditionally. Evidently, we have first to define what means an unconditionally secure 
authentication scheme. 



3. New definitions for unconditional security 

Definition 1: A cryptosystem protects the privacy unconditionally if, no matter how 
much ciphertext is intercepted, there is not enough information in the ciphertext to come 



45 



up vrith a unique solution (plaintext) , but many exitt. Ideal and perfect cryptosystems [21] 
fall under thit definition. 

Remark that: 

• the fact of unconditional security can not be affected by using more (e.g. an 
infinite amount of) computertime. 

• if the appropriate security rules are satisfied (e.g. secrecy of the key) the cryp- 
tosystem can never be broken! 

We now want to come up with a similar definition for the unconditional protection 
of the authenticity (of message and sender). Let us start from the last remark. So we 
would say that a cryptosystem protects unconditionally the authenticity if it can never be 
broken. However, then no cryptosystem at all would satisfy this definition. The process 
of authentication is probabilistic. If an active eavesdropper tries long enough (e.g. some 
centuries) he will be able to inject a fraudulent message or modify one. This follows 
from the fact that messages have finite lengths. So a better definition, based on the first 
remark, will now be given. 

Definition 2: A cryptosystem protects the authenticity unconditionally with a security 
level P if, the probabilities that an intruder can inject a fraudulent message or that an 
active eavesdropper can modify a message are less or equal than 1/P, independently how 
much computertime is used. If one of these probabilities is equal to one we say that the 
system is insecure (to protect the authenticity). 

As a consequence of this definition the Vernam scheme is insecure related to authenticity. 
A scheme is considered to be insecure for practical purposes if the security level is "too" 
small. We will not discuss wat means "too" small, the reader is refered to [5] and [6]. 

The effect of birthday attacks [1], [14] (pp. 127) is not discussed in this paper. 
Let us now build cryptosystems which satisfy last definition. 

4. Building unconditionally secure authentication schemes 

Based on the analysis of the Vernam scheme we will first try to come up with cryp- 
tosystems which protect the authenticity unconditionally. Because the schemes which 
will be proposed in Section 4.1, do not satisfy partly or totally the definition, we will in 
Section 4.2 come up with a secure one. In Section 4.3 a more practical version will be 
discussed. Finally by combining other schemes with the ones discussed here, one can still 
improve the practical aspects (see Section 4.4). 

4.1. Trials 

We have seen that the Vernam scheme is bit oriented. In the first proposal we use 
an authenticator for each bit. Each bit of the message is followed by a fixed pattern 
(e.g. 64 zeros). All these bits are then encrypted using the Vernam scheme. We now 
give a formal way to describe this scheme. If the plaintext M = (mi, m^, . ■ ■ , m„) then 
the input for the Vernam scheme is A = (a\,a\, ... ,a\,a\,a\,. .. ,a\, ... ,0,^,0^, ... , a%), 
where o{ are bits such that for all t (1 < i < n) we have (aj, of , . . . , af) = (m<, 0, . . . , 0) 
in the case the fixed pattern is (0,0, ... , 0) and q — 1 = length of the fixed pattern. The 



46 



ciphertext is then G = (c{, c\, . . . , c\, c\, c|, . . . , t\, . . . , c\, <£,..., c%) where cj = a\ ® k\ 
and the key is K = (AJ, A?, . . . , A?, AJ, Af, . . . , Af , . . . , A^, Ajj, . . . , A*), where k{ is a bit (for 
all i and j, where 1 < t < n and 1 < j < q). Remark that we have an expansion of 
the ciphertext and the key with a factor q (e.g. x 65). This scheme is however insecure 
(form the point of view of authenticity) because an active eavesdropper can complement 
a ciphertext bit, corresponding with an information bit, without modifying the ciphertext 
bits corresponding with that authenticator (in other words complementing e\, without 
modifying any where j satisfies 2 < j < q). This implies that the probability that an 
active eavesdropper can modify a message is evidently one. 

In another proposal the information bit is placed at random in the authenticator. 
The mathematical description of this scheme is similar, except that (aj,a|, . . . , a*) = (0, 
0, . . . , 0, m,-, 0, . . . , 0, 0), where the bit m t - appears on a random, location. In order that the 
receiver could verify that location he has to know the random value (otherwise an active 
eavesdropper can easily modify a message bit 0 into a message bit 1). This random value 
is a part of the authentication key. We define the authentication key as the key which is 
used to protect the authenticity, and the privacy key as the key which is used to protect the 
privacy. The length of the authentication key is n ■ f log 2 o] • The length of the privacy key is 
q ■ n and the expansion of the ciphertext is q. The probability that an active eavesdropper 
can modify a message bit is however high and is 1/q. Evidently, if the active eavesdropper 
knows q and modifies one bit of the q bits randomly, the probability to modify the bit 
corresponding with a certain m,- is 1/q. In order to obtain a practical acceptable security 
level (e.g. 2 64 ) the expansion of the ciphertext has to be enormous, because the security 
level only increases linearly with increasing expansion of the ciphertext. 

The last scheme will be modified to come up with an unconditionally secure authenti- 
cation scheme, for which the security level increases exponentially with linearly increasing 
ciphertext and keyexpansion. 

4.2. A secure scheme 

By studying previous proposal we see that the security level is q, and there exist q 
different (oj , aj, . . . , o') for each m,- = 1. In general, we can have 2 q — 1 different (oj , a], 
. . . , a') / (0, 0, ... , 0). Hereto we use an authentication key H = (h\, h\, . . . , ft*, h\, A|, 
...,hl,...,h^,hl,...,hl) random such that for all * : (h), A?, . . . , A?) # (0,0, .. . ,0) and 
the key H is secret and used only once by sender and receiver (similar as in the Vemam 
scheme). The scheme differs only from previous one in the fact that for each bit m,- : (a), 
a?, . . . , a?) = to,- ■ (AJ, ft?, ... ,hf). In other words if m,- = 0 then (aj, a?, . . . , a?) = (0, 0, 
. . . , 0), otherwise (oj , oj, o?) = (Aj A?). 

Remark that in the discussed scheme the ciphertext expansion is still q. The length 
of the authentication key is q ■ n, and the same for the privacy key. So the complete key 
used in this scheme is 1q times longer than in the Vernam scheme. 

The discussed scheme protects the authenticity unconditionally with a security level 
2* -1 . An intruder can inject a bit 0 with a probability 1/2 9 , because in order to inject a 
0 (after that the legitimate (i - l) th bit was sent) he has to guess the correct (A?, A?, . . . , 
A*) and because these bits are really random he has only a probability 1/2* to succeed. A 
similar reasoning is true for the case he wants to inject a 1 (remark that (AJ ffi k}, A? ffi A?, 
. . . , A? © A?) ^ (Aj, Af , . . . , A?) for all i). So he can inject a bit with a probability l/2« -1 . 
An active eavesdropper can modify a bit with a probability 1/(2* — 1), because he has 



47 



to guess correctly (&-,&?,..., A?). Remark that it is "hard" for an active eavesdropper 
to mix the bits of the plaintext, or to retransmit them, because the key is really random 
and only used once. This follows easily from previous discussion. Remark that previous 
discussions remain valid if we consider known plaintext attacks, as long as the privacy 
and authentication keys are secret. 

In order to better understand the discussed scheme let us wonder what happens if we 
do not protect the privacy (or if [k\,k\, . . . ,k\,k\,kl, . .. , Jfc« , '. .. ,A£, . = (0,0, 

. . . , 0) ). The reader can easily verify that the injection of a bit 0 or the modification of 
a plaintext bit 1 into a 0 is easy. However, it is 'hard" to inject a bit 1 or to modify a 
plaintext bit 0 into a 1. We can conclude that the protection of the privacy is necessary 
in order to protect, with this scheme, the authenticity. However, one can easily imagine 
situations in which the protection of a bit 1 is more crucial than the protection of a 
bit 0 [5], [6]. In E.F.T. for example, the plaintext can be a bit 1 if the transaction is 
authorized, a 0 in the other cases. Following our definition of unconditional security we 
do not consider the scheme secure under these circumstances. One can wonder if the key 
H has to be secret. The answer is evidently yes, otherwise an active eavesdropper can 
easily modify the message. 

Without discussing if this scheme is practical (see Section 5,1) we can remark that 
such a large text expansion is impractical. It slows down the communication and makes it 
much more expensive! For these reasons a more practical scheme will now be presented. 

4.3. A more practical scheme 

An unconditionally secure authentication 3ystem which is based on the one discussed 
in previous section, will be presented. For previous scheme, remark that if an intruder 
wants to inject two bits the probability to succeed is 1/2 2 ' -2 . In general it is for m 
bits ij2 m<l ~ m , because each bit has its own authenticator. A similar reasoning is true 
for the modification of m bits. In this section we will only use a authenticator for the 
whole message. That idea will also solve the speed and cost problem of previous scheme. 
Nevertheless the new scheme is also unconditionally secure. 

In this scheme we send the message M enciphered with the Vernam scheme, followed 
by an authenticator of q bits. So the ciphertext is C = (c lt C2, . . . , c n , c^, +1 , c% +l , ... , 
such that for i < n + 1 we have Cj = to,- ffi k{, where e,-, m,- and are bits. For t = n + 1 
we have c* n+l = r' ffi k' n+1 for each j such that 1 < j < q, where c' n+1 , r 1 and k 3 n+1 are 
bits. R = (r l ,r 2 , . . . , r q ) is the authenticator and if 1 = [k\, k%, . . . , k„, k* +1 , k% +l , . . . , 
^n+i) ' s privacy key. Remark that c\ has no sense here if t < n + 1, similar for the 
key and for the message. The register R is build up iteratively when each message bit 
m,- is sent, using the authenticator key H = (h\, h\, . . . ,h\,h\,h\, . . . ,k\, . . . , h\, h^, . . . , 
hi). The contents of R in the begin is 0, then (r 1 , r 2 , . . . , r») := (r 1 ® wi,Aj,r 2 ffi m,-A 2 , 
. . . , r* © m,-fe') for each m,-, where 1 < i < n. In other words at the end 

n 

r> = 0 nnh{ for each j (1 < j < q). (1) 
i'=i 

This scheme is unconditionally secure with a security level (2 9 — 1). An intruder can 
inject a message that will be accepted with a probability 1/2', because only one on 2* 
messages give that authenticator R. An active eavesdropper can only modify one bit of 



48 



the message with a probability 1/(2' — 1) to succeed, because he has to guess the correct 
(f*i , h%, ... , A*) if he wants to modify m^. If he wants to modify more bits, he has to guess 
the correct modification (see Eqn. 1), the probability to succeed is only about 1/2 5 . 

In order to better understand this scheme, let us wonder if we need to protect the 
privacy. If we do not protect the privacy (or if K' is equal to zero), then the previous 
reasoning remains valid, except that it is easy to inject the message (0,0, ...,0) or to 
modify a message into that zero message. Indeed, for a zero message the authenticator R 
is zero. However a very simple protocol can overcome the transmission of a zero message. 
One could for example agree that if (e.g.) the first bit of the message is one, the real 
message is zero. If the first bit of the message is zero then the message is not zero. 
With such a protocol the pattern (0,0,..., 0) will never be send and as a consequence the 
authenticity of the message can be protected without protecting the privacy. Remark that 
the authentication key H has to be secret in all circumstances otherwise modification is 
easy. 

The discussed scheme can be used to protect the authenticity of a message without 
protecting the privacy. However this system is not acceptable in countries or in circum- 
stances that "others" want to be able to verify that the communication is not used for 
spying. Such situations can occur as a restriction of local laws, or to be used to verify 
military actions, e.g., a ban of the testing of nuclear weapons [22]. The reason, why the 
described algorithm is unacceptable is that one can understand the message M, but one is 
never sure that the sender will not transmit a secret message instead of the authenticator 
R. 

The length of the key in these schemes is (q + l)n bits respectively qn + n + q bits, 
depending if we only protect the authenticity, or privacy and authenticity. The keyexpan- 
sion is only the half compared with the scheme discussed in Section 4.2. The ciphertext 
expansion here is (n + q}/n or not significant. Now, a scheme will be presented in which 
the length of the key is only about the double of the length of the message (about 2n 
bits). Remark that in a practical secure scheme q is normally 64, such that the expansion 
of the key in the scheme we just discussed, is still large. 

4.4. Other unconditionally secure authentication schemes 

Some other authors discussed unconditionally secure authentication schemes before, 
but did not use this name. Simmons [23] and Brickell [2] discussed several bounds related 
to the security level, the keylength, etc. They called a system perfect (or double perfect) if 
the key was used optimally, or was not longer than necessary. Gilbert et. al. [12] discussed 
implementations of such perfect authentication systems. 

It is easy to prove that the schemes discussed in previous sections are not perfect 
in the sense defined by Simmons [23] or double perfect as defined by Brickell [2]. This 
means that the key is not used optimally. To obtain such an optimal keylength one could 
use projective planes, as discussed in [12] on pp. 414 - 415. However for long messages 
(e.g. Megabits) the calculations in the Gilbert scheme are awful. Now a scheme will be 
presented which is unconditionally secure, for which the calculations are not too awful, 
and for which the expansion of the key is only about two. 

The idea is that the users first agree on a lowerbound for the security level P. The 
message is divided up Ln blocks of length q — [log 2 P] bits. So the message M = (Mi , 
Mi, . . . , M a ) where a ■ q > n and (a — 1) • q < n. If n is not a multiple of q then one fills 



49 



the message up with zeros. The security level will be 2 ? . For each q bits a key of length 
2q bits is used. So the length of the total key is 2aq (about 2n) bits and is really random. 
The idea of projective planes [12] is used to generate for each A£ a binary vector (ij, tj, 
. . . ,tf) in GF(2 9 ) (remark that this binary vector was called c on page 414 in [12]). The 
scheme continues as the previous one (see Section 4.3) except that: 

• instead of H the vectors (tj,t?, . . . ,tf) are used, where 1 < t < a 

• Eqn. 1 is replaced by: 

a 

^ = © *i for eadl 3 (! ^ 3 ^ l)- ( 2 ) 
i'=i 

• The scheme is normally used to protect the authenticity, if you also want to protect 
the privacy you use a different privacy key which length is n bits. 

In next section we will discuss the practical and theoretical consequences. 

5. Practical and theoretical consequences 

All schemes we discussed can be extended if we replace the modulo 2 sum by another 
modulo sum (e.g. modulo 53). We will wonder if the discussed schemes are useful. 
Consequences of the discussed schemes on the security of stream ciphers and DES will 
also be discussed. 

5.1. Are previous schemes useful? 

If you find the Vernam scheme impractical for your application, you find the dis- 
cussed schemes also impractical. If however, you are dealing with national security (e.g., 
military and diplomacy) or you need unconditional security, the discussed schemes are 
interesting. If you use the Vernam one-time pad, you have to take into consideration that 
e.g., terrorists can modify your messages. As a consequence of terrorists attacks and of 
computer networks the problem of authenticity becomes more and more important, also 
in domains as the military or other governmental organizations. The discussed schemes 
allow to protect the authenticity unconditionally. The scheme discussed in Section 4.4 is 
preferable because the ciphertext expansion is about inexistent, while the length of the 
key is only about twice the length of the message. The security level obtained is less than 
the one which can be obtained ([2], [12], [22]), but the scheme is much more practical if 
long or very long messages are sent, while one can still choose the security level one wants. 
The key is used as in Vernam, so is random and distributed beforehand on a secure way. 
Senders and receivers can easily handle messages with variable length. 

5.2. Stream ciphers protecting authenticity 

Some authors, e.g. Denning [4] (pp. 144) say that stream ciphers have the disadvan- 
tages that the message can easily be modified. The schemes which we discussed here and 
certainly the one in Section 4.3 allow to modify stream ciphers such that they can be used 
to protect the authenticity. However their security is no more unconditionally secure, 
because stream ciphers generate pseudorandom, and their security is based on compu- 
tationally complexity. If one adapts stream ciphers to protect authenticity, we suggest 



50 



to use a different key for the pseudorandom generator which, will be used to protect the 
privacy and the one which will be used to protect the authenticity. 

5.3. Hashing and unconditionally secure authentication 

One could remark that the final solutions (proposed in Section 4.3 and in Section 4.4) 
hide the use of hashing, which seems the natural solution. However if hashing is used 
in these schemes, one looses the unconditional security. Indeed the difficulty to find two 
different texts which produce the same authenticator, is then based on the computational 
complexity. The solution of hashing can be used when unconditional security is not 
necessary, e.g. in the scheme discussed in Section 5.2. 

Most of the schemes which we will discuss further on, do not protect the authenticity 
unconditionally, however some remarks are also valid for them. 

5.4. The protection of privacy and authenticity together 

In the schemes we have discussed we used a different key to protect the privacy from 
the one used to protect the authenticity. We suggest that a similar strategy would be used 
for all cryptosystems. Jueneman et. al. [15] suggested the same in their paper. Another 
example of the importance to use different keys will be discussed in Section 5.5. 

We can also conclude that in a conventional system the protection of privacy and 
authenticity are partly (see the previous last paragraph of Section 4.3 and Section 6.1) 
separable, and that the use of a mode as e.g. CBC does not necessarily guarantee the 
protection of the authenticity. So we do not agree with the remark of Denning [4] (pp. 10), 
cited in the introduction (Section 1). 

5.5. The consequences on the use of DES 

Today DES [10] is probably the most used commercial crypto algorithm. An authen- 
tication scheme was proposed by the NBS [11]. We will show that if you protect both 
privacy and authenticity with the same key, that a fraudulent message may be easily in- 
jected, and that one can easily modify messages. Jueneman et. al. [15] suggested to use 
different keys to protect the authenticity and the privacy. Several attacks were presented 
in the case that the same key would be used, even if the NBS authentication method is 
used. They were able to modify the message without affecting the authenticator, however 
the received plaintext will (in almost all cases) be "garbage". The attack which will be 
presented now, allows an active eavesdropper to modify a message in a fraudulent one, he 
chooses! So in bank applications he is able to transfer money on his account such that 
the fraud will not be detected by the authentication system. 

The attack presented here is an adaptation of an idea originating from Cloetens [3]. 
In [13] a realistic exhaustive keysearch machine was presented which would break DES in 
about four weeks, and would cost about $1,000,000. The idea is to use such a machine. 
Hereto let U3 make some reasonable assumptions: the key is only modified once each four 
weeks, the privacy protection uses the same key as the authentication process and the 
active eavesdropper uses a known plaintext attack. He can then exhaustively determine 
the key, starting from a block of the ciphertext and a block of the plaintext. This attack 
is not influenced if the encryption system uses a mode. Once that key is found, the active 
eavesdropper can inject or modify messages. One could argue that by modifying the key 



51 



frequently enough, the attack is not more valid. However, it can still be used! Suppose 
that the sender and receiver modify their key each s seconds. The active eavesdropper 
can now stop his exhaustive keysearch machine each e seconds and try to find the next 
key. If the machine does this process enough randomly, it will not find a key after four 
weeks with a probability: 



In limit o key will be found after four weeks with a probability 1 - e _l , in eight weeks with 
a probability 1 — e~ 2 , and so on. Once a key is found the active eavesdropper modifies 
the message as he wants. 

Remark that the above attack is valid for all modes as long as the key, used to protect 
the privacy, is the same as the key, used to protect the authenticity, even if that key is 
modified frequently! Also, for several non-standard implementations of the DES such 
an attack is possible. Remark that the attack can not be avoided if for each message 
a different key is used (e.g. the first message is encrypted using key K\, the second 
with K2 and so on). Indeed because the attack is even in limit (1 — > 0) still valid. To 
realize the attack, it is enough to add a delay in the transmission and to have a described 
exhaustive machine which can be easily restarted. Even in the case the key used to protect 
the authenticity is different from the one used to protect the privacy, care is necessary. 
Indeed if short messages are sent, it is trivial to prove that a similar attack is still valid. 
The time needed to break, increases only linearly with the length of the message. This 
is a consequence of the linearly increasing time to calculate the authentic ator, and as a 
consequence of the exhaustive attack. Similar as in the above case, it does not help to 
modify the key frequently. Such situations of short messages can be forced with chosen 
text attacks\ Better exhaustive machines (than the one discussed in [13]) can make the 
discussed attacks cheaper, faster and so on. This discussion is certainly outside the scope 
of this paper (for more details see [7]). 

Each encryption algorithm which is "similar" as DES suffers from this attack. The 
meaning of "similar" is explained in [18]. One could wonder if it would not be better to 
use always the so called "triple encryption" in order to avoid such and similar attacks. 
But even in that case we recommend that the key used to protect the privacy it different 
from the key used to protect the authenticity. 

6. Can a public key scheme protects the authenticity with- 
out privacy? 
6.1. Introduction 

It is evident that the RSA scheme [19], [20] can protect (today) the authenticity of 
short messages (taken into consideration that a secure key is chosen [4j). However not so 
much research is done to protect the authenticity of long messages with RSA. Indeed, if one 
divides the message up in blocks and authenticates the blocks separately then an active 
eavesdropper can mix the blocks up, repeat them, delete some, and so on. To protect 
the authenticity of long messages, some authors propose the use of hashing functions, 
or propose to use DES and to distribute the key with RSA, or to use a protocol that 




where x — 



3600 • 24 • 7 • 4 



s 



52 



public 
key 



fixed message 
pattern ' 

> 



register 

— 

T 



A. 



-> E — > 



register 



secret key 



Figure 2: CBC mode with a public key algorithm to protect authenticity 



"ping-pongs" the message from sender to receiver and back and so on. However these 
ideas have several disadvantages: 

• hashing functions suffer mostly from "meet-in-the-middle" attacks [l] 

• protocols, hashing functions and DES are extra costs 

• ping-pong protocols slow down the communication 

• hashing functions and DES do not allow the protection of the authenticity without 
excluding the possibility to transmit secret information. In some cases this is not 
acceptable e.g., as in arm limitation control [22] or if some country does not allow 
that encrypted messages are sent to foreign countries. Using a hashing function 
or DES, the authenticator can be replaced (e.g. partly) by secret information. 

• random can not be used, because it can be misused for sending secret information. 

We wonder if in a public key system privacy and authenticity are completely separable 
under the conditions mentioned (we don't use hashing functions, or a conventional cryp- 
tosystem, or a ping-pong protocol, or random). We will now come up with a mode to 
protect the authenticity of long messages, however the presented scheme is not secure. 

6.2. An insecure proposal 

In the scheme we use a CBC mode (see Figure 2) to protect the authenticity. The 
sender uses a feedforward and the decryption algorithm with his secret key. The message 
is followed by a fixed pattern A as authenticator (a variable one could contain secret 
information, what we do not want). The receiver uses a feedback and the encryption 
algorithm with the public key of the sender. The initial contents of the registers used in 
the feedforward and feedback is fixed and publicly known, otherwise we protect partly the 
privacy. We call this initial contents J. Because a feedback has a large error propagation 
one could expect that this system is secure. However this scheme is insecure if an active 
eavesdropper know one block, e.g. I. Because the receiver uses the public key, an active 
eavesdropper is able to follow exactly what the contents of the register is in the device of 



53 



the receiver, he is also able to see what the output is and so on. He can now attack the 
protection by modifying arbitrary all sent blocks, except the last one corresponding with 
the authenticator. He will also modify the last transmitted block, however he calculates 
the modification such that the receiver still receives the authenticator A. Because he is able 
to do all the calculations the receiver does, he knows the previous last received message 
block M^. If the active eavesdropper would not have modified the transmitted blocks the 
receiver would have received M„ instead of M^. The last block transmitted by the sender 
is M n © D(A), where D(-) is the decryption operation. If the active eavesdropper exors 
M„ ®M? n with the last block, the receiver will accept the message. 

Using this attack the received message will probably be "garbage", nevertheless it 
will be accepted in an automatic system. For terrorists it does not matter if the received 
text is garbage, sabotage is enough. The active eavesdropper knows however the message 
that the receiver will receive and can try to come up with better "garbage". 

The mode here proposed is insecure, and one can wonder if a secure mode exists. 
As long as no secure mode is found to protect the authenticity of long messages without 
protecting privacy and which satisfies the mentioned conditions, we have to conclude that 
authenticity can not be completely separated from privacy. This conclusion would be 
strange! 

7. Conclusions 

7.1. Overview of the presented results 

We came up with several unconditionally secure authentication schemes. Nevertheless 
that they are not perfect in. the sense of Simmons definition, the last unconditionally secure 
scheme proposed in our paper is more practical than the perfect ones. 

We came up with stream ciphers which protect the authenticity. 

We demonstrated that the ideas of Denning [4] about conventional systems are over- 
simplified. There exist conventional systems that protect the privacy but not the authen- 
ticity (e.g. Vemam one-time pad). 

The protection of privacy and the protection of authenticity (and integrity) are partly 
separable, we wonder if they are completely separable. 

7.2. Advices for users 

If you need to protect privacy and authenticity use different keys for the different 
purposes. 

Use triple encryption in DES. A standard (e.g. ANSI, ISO) which does not always 
use triple encryption is unacceptable. This is true as well as for the protection of the 
authenticity as well as for the protection of privacy (A full discussion would be too long 
and out of the scope of this paper, see [7] and [13]). 

7.3. Acknowledgements 

The author wants to thank Ernest Brickell for discussions about perfect authenti- 
cation systems. These discussions where impossible without the visiting position at the 



54 



Univeristy of New Mexico, to who I am very grateful. The author thanks Henri Cloetens 
for his personal communication about the authentication with DES. 

REFERENCES 

[I] S.G.Akl, *On the security of compressed encodings," Advances in Cryptology, 
Proc. Crypto 8S, Santa Barbara, California, U. S. A, August 21 - 24, 1983, pp. 
209 - 230. 

[2] E. F. Brickell, "A few results in message authentication," Congressus Numeran- 
tium, vol.43, December 1984, pp. 141 - 154. 

[3] H. Cloetens, personal communication. 

[4] D. E. R. Denning, " Cryptography and Data Security" , Addison - Wesley, Reading, 
Mass. , 1982. 

[5] Y. Desmedt, J. Vandewalle and R. Govaerts, "The mathematical relation between 
the economic, cryptographic and information theoretical aspects of authentica- 
tion," IEEE Intern. Symp. Inform. Theory, St. Jovite, Quebec, Canada, Septem- 
ber 26 - 30, 1983, Abstract of papers, pp. 93. 

[6] Y. Desmedt, "Analysis of the Security and New Algorithms for Modern Industrial 
Cryptography" , Doctoral Dissertation, Katholieke Universiteit Leuven, Belgium, 
October 1984. 

[7] Y. Desmedt, F. Hoomaert and J. -J. Quisquater, paper in preparation. 

[8] W. Dime and M. E. Hellman, "New directions in cryptography," IEEE Trans. In- 
form. Theory, vol. 1T-22, no. 6, pp. 644 - 654, November 1976. 

[9] H. Feistel, "Cryptography and computer privacy," Scientific American, vol. 288, 
no. 5, May 1973, pp. 15 - 23. 

[10] FIPS publication 46 "Data Encryption Standard," Federal Information Processing 
Standards Pvbl., National Bureau of Standards, January 1977. 

[II] FIPS publication 81, "DES modes of operation," Federal Information Processing 
Standard, National Bureau of Standards, U. S. Department of Commerce, Wash- 
ington D. C. , U. S. A. , 1980. 

[12] E. N. Gilbert, F. J. Mac Williams, and N. J. A. Sloane, "Codes which detect decep- 
tion," Bell Syst. Tech. Journ. , vol. 53, no. 3, March 1974, pp. 405 - 424. 

[13] F. Hoornaert, J. Goubert, and Y. Desmedt, "Efficient hardware implementations 
of the DES," Advances in Cryptology, Proc. Crypto 84, Santa Barbara, California, 
U. S. A, August 19 - 22, 1984 (Lecture Notes in Computer Science, Springer- 
Verlag, Berlin, 1985), pp . 147- 173. 

{14} R. R. Jueneman, "Analysis of certain aspects of output feedback mode," Advances 
in Cryptology, Proc. Crypto 82, Santa Barbara, California, U. S. A, August 23 - 
25, 1982, pp.99 - 127. 

[15] R. R. Jueneman, S. M. Matyas and C. H. Meyer, "Authentication with manipula- 
tion detection code," Proceedings of the 198S IEEE Symposium on Security and 
Privacy, Oakland, California, April, 1983, pp. 33 - 54. 



55 



[16] D. Kahn, "Modem Cryptology," Scientific American, July 1966, pp. 38 - 46. 

[17] A. Konheim, "Cryptography : A Primer," John Wiley, Toronto, 1981. 

[18] J.-J. Quisquater, Y. Desmedt and M. Davio, "The importance of "good* key schedul- 
ing schemes (How to make a DES* scheme with < 48 bit keys?)", presented at 
Crypto '85, Santa Barbara, August, 1985, to appear in: Advances in Cryptology, 
Proc. Crypto 85, (Lecture Notes in Computer Science, Springer- Verlag, Berlin, 
1986). 

[19] R. L. Rivest, A. Shamir, and L. Adleman, "On digital signatures and pulic-key 
cryptosystems, "Massachusetts Institute of Technology Technical Report LCS/TN- 
82, Cambridge, Massachusetts, April 1977. 

[20] R. L. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital signa- 
tures and public key cryptosystems," Commun. ACM, vol.21, pp. 294 - 299, 
April 1978. 

[21] C.E.Shannon, "Communication Theory of Secrecy Systems," Bell Syst. Tech. 
Journ, , vol. 28, pp. 656 - 715, Oct. 1949. 

[22] G.Simmons, "Symmetric and Asymmetric Encryption," ACM Computing Sur- 
veys, vol. 11, no. 4, December 1979. 

[23] G. Simmons, "Authentication theory/coding theory," Advances in Cryptology, 
Proc. Crypto 84, Santa Barbara, California, U.S. A, August 19 - 22, 1984 (Lec- 
ture Notes in Computer Science, Springer- Verlag, Berlin, 1985). 

[24] G. S. Vernam, "Cipher Printing Telegraph Systems for Secret Wire and Radio 
Telegraphic Communications,'' Journal American Institute of Electrical Engi- 
neers, v. XLV, pp. 109 - 115, 1926. 



On the Security of Ping-Pong Protocols 
when Implemented using the RSA 



(Extended Abstract) 
Shimon Even 1 Oded Goldreich 1,2 Adi Shamir 3 



ABSTRACT 

The Security of the RSA implementation of ping-pong protocols is considered. 
It is shown that the obvious RSA properties, such as "multiplicativity" , do not 
endanger the security of ping-pong protocols. Namely, if a ping-pong protocol is 
secure in general then its implementation using an "ideal RSA" is also secure. 

1. INTRODUCTION 

When studying the security of cryptographic protocols, one can take one of the 
following two approaches: 

1) Distinguish between the security of the "high level structure" of the protocol 
and the security of the cryptosystems used for its implementation. The aim is, 
mainly, to better understand the structure of secure protocols and issues 
related to it. While studying the (security of the) structure of a protocol, it is 
assumed that the protocol is "implemented" with "ideal" cryptosystems. In 
other words, the cryptosystems are treated as if they were free of any proper- 
ties which are not implied by the cancellation of encryption with the 
corresponding decryption. Such a treatment has usually an algebraic flavour. 

This approach can be found in [NS], [DY], [DLM], [DEK], [EG] and [EGL]. 

2) Study the security of a concrete implementation of the protocol with respect 
to the concrete cryptosystems used for the implementation. The aim is to 
develop concrete provably-secure protocols and to present a methodology for 

1 Computer Science Dept., Technion, Haifa, Israel. 

2 Currently in MIT, Lab. for Computer Science. Supported in part by a Weizmann Postdoctoral Fellowship. 

3 Department of Applied Mathematics, Weizmann Institute, Rehovot, Israel. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 58-72, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



59 



developing and proving correctness of protocols. Characteristic tools in this 
approach are generalized notions of polynomial-time reductions. 

This approach was pursued in [LMR], [GMR], [BGMR], [ACGM], [CF] and 
[GHY]. 

In this paper, we follow the first approach, but introduce some influences of the 
second approach. More specifically, we study the "high level structure" of proto- 
cols implemented using "ideal-RSA" cryptosystems (i.e. cryptosystems which 
posses only the obvious properties of the RSA). Our aim is to try to characterize 
the structure of protocols which are secure with respect to the obvious properties 
of the RSA. We restrict our study to a simple class of public-key protocols, 
known as ping-pong protocols. The reason for this restriction is that testing the 
security of protocols, from a slightly extended class, has been shown to be undecid- 
able [EG]. We show that as far as the security of ping-pong protocols is concerned 
the obvious properties of the RSA do not give an adversary any additional edge. 
Put in other words, ping-pong protocols which are secure with respect to "ideal 
cryptosystems" - remain secure with respect to "ideal-RSA". 

Our work was partially motivated by Denning's study of the weaknesses of 
the RSA implementation of a simple signing protocol [D]. We show that the 
weaknesses, pointed out in [Da] and [D], are due to the insecurity of the "high 
level structure" of the protocol and not to the fact that it was implemented using 
the RSA. We further discuss this issue in section 7. 



2. PING-PONG PROTOCOLS AND THEIR SECURITY 

In this section we recall the basic definitions regarding ping-pong protocols 
and their security problem. 

2.1 Public Key Cryptosystems 

Following pH], a public key cryptosystem (PKCS) is a set of pairs of func- 
tions, such that every user X has an encryption function E x and a decryption 
function D x . Both functions are mappings from {0,1}' to {0,1}' . There is a public 
directory containing all [X ,E X ) pairs, while the decryption function D x is known 
only to X. It is required that 

(1) For every m e {0,1}' . E x {D x {m)) = D x {E x (m)) = m. 
D x is the inverse function of E x ■ 



60 



(2) It is infeasible to recover z when given E x (z) (and E x ). 
For further details consult [DH] and [RSA]. 

In the rest of this paper we will refer to the encryption and decryption func- 
tion as to operators. Operator words are defined (as usual) as the composition of 
operators; i.e. the operator word <r, ••■(r 2 <r I maps m e{0,l}' to <r, (■■■cr 2 (ar l (m ))••■) . Two 
operator words a and p are said to be equivalent if for every m 6 {0,1}* , 
a(m )=0(m ). The equivalence between operator words will be denote by = . 

Property (1) above implies the following 

Operators' Cancellation Rules: 

for every X, E X D X = D X E X = the identity operator. 

Property (2) above implies that user X can only apply encryption operators and 
his own decryption operator (i.e. operators from the set {D x } (J {E Y : Y is any user 
in the network} .) 

2.2 Ping-Pong Protocols 

Following [DY], a ping-pong protocol P(X,Y) is a sequence {a l} a 2 , . . ■ , a,) of 
operator words, such that ax-i 6 {D X ,E X ,E Y } and a 2i e {D Y ,E X ,E Y } ■ Here X and Y 
are variables. In a concrete execution of the protocol they are substituted by the 
names of the participants. 

An execution of protocol P[-,) by parties A and B , regarding the initial mes- 
sage m 0 e{o,i} , proceeds as follows: In the first phase party A applies ai[A,B] to 
the initial message m 0 , and transmits the result to B . In other words, in the first 
phase A transmits m, = ajA.flKmo) to B. In the 2«'-th phase B applies a 2i [A,B] 
to m 2 ,-_, , and transmits the result (m 2l - = et2i[A ,£](m ;,,■_!)) to A . In the 2i+l-st 
phase A applies a a+l [A,B] to m 2l - , and transmits the result (m 2i+1 = 
a 2 i+i[A ,B](m 2 i)) to B . Here a,-[A,B} denotes the operator word which results from 
a t by substituting E x \D X \ by E A [D A ] and E Y [D Y ] by E g [D g \. 

2.3 Security of Ping-Pong Protocols 

Following [DY], we say that a ping-pong protocol .P(y) is insecure if parties 
which did not take part in an execution of P (hereafter referred to as the 
saboteurs) can find out the initial message transmitted in that execution. To this 
end the saboteurs can initiate other executions of P and rely on the operators' 
cancellation rules (i.e. E X D X = D X E X = the identity operator). It was shown 
[DEK] that it is sufficient to consider a single saboteur. A formal definition of 
insecurity follows: 



61 



Definition 1: Let P(X ,Y) = (a I ,a 2 , . . . , a ( ) be a ping-pong protocol (as in the 
previous subsection). 

Let A , B and S denote three distinct users. 

Let Hz = {D Z }\J{E U : U is any user name } . (E x denotes the set of operators 
which may be applied by user X.) 

Let I{A,B,S) = {ai{X,Y]: 1 < < < / and X ^ Y e {A ,B ,S }} . (I(A,B,S) is the 
set of operator words which may be effected on messages in executions of the 
protocol P(v) by two users out of A , B and 5.) 
Let A = (S S U/(A,S ,S))'. 

The protocol P(y) is insecure if there exists an operator word -76 A such that 
la^A ,B] is equivalent (under the operators' cancellation rules) to the identity 
operator. The operator word 7a 1 [ J 4,.B) is called an insecurity string. 

Remark 1: The above definition (in which only one saboteur is considered) is 
equivalent to a definition in which more than one saboteur is considered. The 
latter definition can be obtained by redefining A as follows 



A proof of the equivalence of the two definitions can be found in [DEK]. It is 
interesting to note that this equivalence does not hold for ping-pong protocols for 
more than two parties [EG]. 

Discussion: Note that under (the insecurity) Definition 1, the only properties of 
the public-key cryptosystem exploited by the saboteur (in his attack on the proto- 
col) are the most obvious and general ones; namely the cancellation of encryption 
with the corresponding decryption. Definition 1 can be interpreted as considering 
only the security of the "high level structure" of the protocol. 

Testing "high level security", may obviously provide evidence for the insecurity of 
a concrete implementation of the protocol, but it can not provide a proof that a 
particular implementation (with a particular public- key cryptosystem) is secure. 

3. THE RSA AND ITS PROPERTIES 

The RSA is the most popular implementation of the concept of a public-key 
cryptosystem. This system, presented in 1978 by Rivest, Shamir and Adleman 
[RSA] is widely believed to be secure. However, the encryption decryption func- 
tions of the RSA possess obvious properties which are not implied by the cancella- 
tion rules. We begin by presenting the RSA functions and continue by discussing 
their properties. 




62 



3.1 The RSA Functions 

An instance of the RSA consists of a composite integer N which is the pro- 
duct of two large primes p and 9, and two integers e and d such that ed is 
congruent to 1 modulo <f>(N) (</>(N) = (p-i)(?-l) is the Euler function). 

To create an instance of the RSA, user A randomly picks two large primes p 
and q , and a number relatively prime to (p-i)(j-l). User A computes N=p q and 
d=e~ 1 mod (p-l)(g-l) . User A places [A , (N,e)) in the public directory and keeps 
all other information (in particular d , p and q ) secret. 

Encryption is done by raising the message to the «-th power modulo N; while 
decryption is done by raising the message to the i-th power modulo N . Everyone 
can encrypt a message so that A can decrypt it. It is assumed that knowledge of 
the factorization of N is needed in order to be able to decrypt (and factorization is 
considered intractable). For simplicity let us identify the username (i.e. A ) with 
the modulos N he uses. The encryption function of user N will be denoted by E N 
and N 's decryption function will be denoted by D N . 

Formal Setting: Let us denote by Z N the set of all residues modulo N (i.e. Z N = 
{0,l,2,...,jV-i}). By the above we have, for every m e Z N , 

E N (m) = m' mod N and D N {m) = m' mod N 

It can be easily shown that E N and D N cancel each other [RSA]. 

In addition to the cancellation of encryption by the corresponding decryption, 
the RSA possesses additional obvious relations - to be hereby discussed. 

3.2 The Properties of the RSA 

The main properties of the RSA are that the set of almost all its message 
space forms a group with respect to multiplication modulo TV, and that the 
encryption and decryption operators are homomorphisms over this group. Note 
that the RSA induces a permutation over . For simplicity, we restrict the mes- 
sage space to Z£ c z N . This excludes only p+q-l elements - a negligible fraction 
of the original message space (Z N ). 

In subsection 3.3 it will be shown that all the other obvious properties of RSA 
can be derived from the above. This includes the fact that D N is a homomorphism, 
the fact that £^(i)=i etc. 



63 



3.3 Automatization 

In this subsection we present a complete axiomatization of the RSA properties 
discussed above. In the formal treatment, we will denote the message space by 
M x . Recall that E x and D x are inverse permutations over M x ■ A multiplication 
operator over M x will be considered. It is axiomatized that this operator (denoted 
by p x ) together with the set M x forms an Abelian group. It is also axiomatized 
that E x is a homomorphism of this group. 

AO) Cancellation Axiom: For every m e M x the following holds 

Dx {E x (m )) = E x (D x (m )) = m . 
Al) Abelian Group Axiom: The set M x and the binary operation fi x form an 
Abelian group. That is, n x :M x X M x -» M x satisfies the followings (for every 

Al.l) /ix(m,jiy(nij,i»s)) = /*x (/J* (m b m 2 ),"» 3 ) 
Al.'2) ii X {l,m)=n x (m,l)=m. 

A1.3) There exists a m~ l eM x , fi x (m ,m" 1 )=/j^(Tn"',m)=l 
A1.4) f*x(mi,m 2 )=/*x(m 2) »ni) 
A2) Homomorphism of the Encryption: For every m 1 ,m 2 €M x the following holds 

E X {fix {m u m 2 )) = fi X {E x {m l ),E x {m 2 )) 

An equivalent formulation is achieved by generalizing the multiplication 
operator (i X , to take arbitrary many arguments, and by introducing the mul- 
tiplicative inverse function I x . 

The RSA Equalities 

EO) Cancellation of Encryption/ Decryption: For every m e M x , D x (E x {m ))=m 

and E x (D x {m ))=m . 
El) Nested Multiplication: For every mi,m 2 , . . . , e , and 0</-t <d 

Hxfai, - ■ ■ , mi ,fx{m i+ i, . . . , my),my +1 , . . . , m<) = ^(m i> m 2> • • • > m d) ■ 
E2) Redundant Multiplication: For every m e M x , p x (m)=m . 
E3) Redundant Identity: For every m 1; . . . , m d e M x , and d > 1 

Px(»*i> • • • , m <t l,m i+l , . . . , rrti) = ti x {m h . . . , m,-,m f+ „ . . . , m t ) 

E4) Inverse: For every m,m,, ...,«!(£ Mx , ^ > 0 and i < j , 

M-yC" 1 i, ■ ■ ■ , ,m ,m 1+ i, . . . , my ,/x"( m )> m y+ii ■ ■ • j m J ) — 
(ij-(m,, . . . , m,- ,/x-(m ),m, +1 , . . . , my ,m ,my+i, ...,"»<) = 

^x(l.">l, • • • > m ii'">-H' ■ - • > m /> m j+l> •■•>">/) 

E5) Homomorphism of Inverse Operator: For every m !,m 2 , . . . , m d € M x , and 
> 2 , I x {li X {m l ,m 2 , . . . , m d )) = p x Ux {m i),l x (m 2 ),---Jx {m d )) ■ 



64 



E6) Cancellation of Double Inverse: For every m e M x , I x {I x (m)) = m ■ 

E7) Generalized Homomorphism of Encryption/ Decryption: 

For every m^m^ . . . , e M x and d > 2 the following hold 

■CxUxlfLmj, . . . , m d )) = M*(£x(mi),-D;r(m s ),...,.Djr( m i)) 

E8) Stability of Identity: E x (i)=l D x (i)=l and 7y(l)=l . 

E9) Commutativity of Operators: For every m eM x , 
E x (I x (m))=I x (E x (m)) and D x (I x (m))=I x (D x (m)) . 

4. SECURITY WITH RESPECT TO RSA PROPERTIES 

In this section we define a new notion of insecurity: insecurity w.r.t RSA. 
Loosely speaking, a protocol is insecure w.r.t RSA if an adversary can seize the ini- 
tial message by eavesdropping, initiating other executions of the protocol and tak- 
ing advantage over the (10) equalities listed above. 

In order to formally discuss the power of such an adversary, we have to study 

the algebra of expressions over the operator alphabet |J {E x ,D X ,ti x ,I X } w.r.t the 

x 

equalities listed in Sec. 4.2. This algebra is best described by representing its 
expressions as rooted labelled trees and enforcing its equalities by tree manipula- 
tion rules. 

4.1 The Algebra of Operator Trees 

We start the description of the algebra by giving a representation of its 
expressions as rooted node-labelled trees. 

Definition 2: An operator tree is recursively defined as follows: 

A constant is an element of (JAf^ . 

x 

A variable may be assigned any element of [JM X . 

x 

An atom is a node labelled either a constant or a variable. An atom is an 
operator tree (rooted at the atom). 

A protocol node (P-node) is a node labelled either E x or D X for some X. An 
operator tree rooted at a P-node v consists of the node v , an edge (v ,u ) and 
an operator tree rooted at u . The operator tree rooted at « is said to be a 
subtree hooked to v . 



65 



An inverse-node (I-node) is a node labelled I x for some X. An operator tree 
rooted at an I-node « consists of the node v , an edge (« ,« ) and an operator 
tree rooted at u . (The operator tree rooted at u is said to be a subtree 
hooked to v .) 

An multiplication-node (/j-node) is a node labelled p x . f° r some X . An operator 
tree rooted at an /i-node v consists of the node v, a set of d >l edges 
{(» ,«< )}/Li a-nd a set of operator trees rooted at U] , « 2 ... u t respectively. 
(The operator tree rooted at u ; is said to be a subtree hooked to v . Note that 
only a ji-node may have more than one son in an operator tree.) 

As a first step towards defining the operator tree algebra we define two operator 
trees to be isomorphic if there is a "labelling and rooting preserving" isomorphism 
from one tree to the other. This isomorphism can be precisely defined as follows: 

Definition 3: Two operator trees and T 2 are said to be isomorphic if one of the 
following hold: 

1) Both trees are atoms, and either both are labelled by the same constant or 
both are labelled by the same variable. 

2) For t € {1,2}, let T { consist of the root and d subtrees hooked to denoted 
by f, 1 , i, 2 ,.», ti respectively. 

Then the labelling of «i and t> 2 are equal and there exists a permutation tt 
(over the set {1,2,.. ,d }) such that for every 1 < j < d, the subtree t x ' is iso- 
morphic to the subtree * 2 '' J ' . 

The equalities listed in Sec. 3.3 imply the following tree manipulation system. The 
system consists of 10 pairs of reduction rules, corresponding to these 10 equalities. 

The Two-Way Reduction Rules: The notation ej(t) — <■ e^t) [e^t) < — e^O] 
means that the subtree described by the expression e^t) [e^f)] can be replaced by 
the subtree described by e 2 (/) [ei(f )], in any operator tree. For every equality Ei 
(o < t < 9) of the form ei(0= e 2(')> we introduce a reduction rule (denoted R«) 
«i(0 — <■ «a(0 an( l a (reverse) reduction rule (denoted Bi) e^t) <— e^f)- 
Finally, we define equivalence of operator trees as follows 

Definition 4: Two operator trees are (two-way) equivalent if applying a 
sequence of reduction rules to one of them results in an operator tree which is 
isomorphic to the other. We stress that both the Bi and the Ri reduction 
rules may be used in this sequence of applications. 



66 



4.2 Properties of the R-Reductions Rules 

The reduction rules discussed in subsection 4.1 consist of pairs R> and Bi 
such that if R« is e,(i) — ► e 2 (f ) then Bt is e^t) <— e 2 (() . This system of reduction 
rules is clearly infinite, in the sense that one can apply an infinite sequence of 
reduction rules to every operator tree. We will consider the Ri (o < i < 9) reduc- 
tion rules hereafter called the R-r eduction rules. The system of R-reduction rules 
is finite; that is, for every operator tree t there is a (finite) upper bound of the 
length of sequences of R-reduction rules which can be applied to t . 

Lemma 3: Let n denote the number of nodes in the operator tree f . Then n 3 is an 
upper bound on the length of R-reduction sequences which can be applied to t . 

Remark 2: The upper bound presented in Lemma 3 is tight up to a multiplicative 
constant. A demonstration of this fact is omitted from this extended abstract. 

The fmiteness of the R-reduction rules suggests the following 

Definition 5: An operator tree is said to be irreducible if no R-reduction rule can 
be applied to it. 

Corollary 1 (to Lemma 3): 

For every operator tree t , there exists an operator tree r such that 

1) r is an irreducible operator tree. 

2) r is the result of applying a finite sequence of R-reduction rules to t . 

Another appealing feature of the R-reduction rules is the insignificance of the 
order in which R-reduction rules are applied; 

Lemma 4: 

For every operator tree t there exists a unique operator tree r such that 

1) r is an irreducible operator tree 

2) r is the result of applying a finite sequence of R-reduction rules to f . 

Lemma 4 can be proven by demonstrating 4 that the R-reduction rules have the 
Church-Rosser Property [CR], and by using the Church-Rosser Theorem. By the 
Church-Rosser Theorem if a reduction system is finite (in the sense of Lemma 3) 
and has the Church-Rosser Property then each object has a unique irreducible 
object reachable from it. Lemma 4 suggests the following 

Definition 7: The reduced form of t is an operator tree r such that r is 
irreducible and t — <■ ' r . 



4 Such a demonstration is straightforward but tedious. An extensive study of genera] methods for proving Church-Rcsser pro- 
erty of tree manipulation systems was conducted by Rosen {R|. 



67 



Definition 8: Two operator trees are said to be R- equivalent if their 
corresponding reduced forms are isomorphic. 

4.3 R-Reduction Rules versus Two- Way Reduction Rules 

In this subsection "we show that the R-reduction rules are as powerful as the 
two-way reduction rules. This is of much importance since, unlike the two-way 
reduction rules, the R-reduction rules can only be applied a finite number of times 
and yield a unique (irreducible) result. 

Lemma 5: Two operator trees are R-equivalent if and only if they are two- 
way equivalent. 

Corollary 4 (to Lemma 5): With respect to any operator trees ([ and to , the fol- 
lowing are equivalent: 

1) £, and t 2 can be proven to be equal in the proof system which consists of the 
axioms AO, Al and A2 (of subsection 3.3) and the proof rule known as substi- 
tution. 

2) The reduced form of t, is isomorphic to the reduced form of J 2 • 

Thus, the R-equivalence "grasps" the structure of the algebra of operator trees. 

4.4 The New Security Definition 

Having presented the algebra of operator trees and its properties, we are 
ready to define insecurity with respect to this algebra. We will say that a protocol 
is insecure if a saboteur can construct an operator tree which is R-equivalent to 
the initial message sent from A to B . As in Definition 1 (subsection 2.3), the 
saboteur can apply any operator in his vocabulary as well as apply any instance of 
any protocol word to any message. Let us present a formal definition of this new 
insecurity notion. 

Definition 9: Let P(X ,Y) = (a^j, . . . , a,) be a ping-pong protocol (as in subsec- 
tion 2.2). 

The protocol P(v) is RSA-insecure if a saboteur S who does not know the initial 
message m 0 (in the execution of P by A and B) can construct an operator tree 
which is R-equivalent to m 0 . (This operator tree will be called the insecurity tree 
of protocol P .) 

The trees that S can construct are recursively defined as follows: 

1) S can construct the path a x [A ,B\(m Q ) 

2) S can construct an atom labelled by a constant. 



68 



3) Let f be an operator tree which can be constructed by S. Then S can con- 
struct the operator tree D Y [t) (Y A ,B is any user in the net other than A 
or B) and the operator tree E x [t ) (X is any user in the net). 

4) Let t be an operator tree "which can be constructed by S. Then S can con- 
struct the operator tree a { [X,Y}(t) , where l<i </ and X y^Y are any two dis- 
tinct users. 

5) Let ti,t 2 , ■ . . , li be d >2 operator trees which can be constructed by S . Then 
S can construct the operator tree n x (t u t2, - ■ ■ , t<) and the operator tree I x (h) 
(X is any user in the net). 

Consider the following variant of the above definition: 

Definition 10: The protocol P(-,-) is generically-insecure if a saboteur S who 
does not know the initial message m 0 (in the execution of P by A and B) can 
construct an operator tree which is R-equivalent to m 0 , where the trees that 
5 can construct are recursively defined by 1, 2 ,3 and 4 above (without 5). 

Remark 3: Note that the Definition 10 is identical to Definition 1 (the insecurity 
definition which appears in subsection 2.3). 

(Note that if P is generically insecure then it has an insecurity tree which consists 
of a path with one atom (m 0 ) and all other nodes are P-nodes. Also recall Remark 
1 in subsection 2.3.) 

5. EQUIVALENCE OF THE TWO SECURITY DEFINITIONS 

We are now ready to present the main result of this paper: the equivalence of 
the insecurity definitions presented in Definition 1 and Definition 9 (subsections 2.3 
and 4.4) respectively. By Remark 3 (above) it suffices to show that 

Main Theorem: A protocol P is RSA-insecure if and only if it is 
generically-insecure. 

proof: Clearly, if the protocol P is generically-insecure then it is RSA-insecure. It 
is left to show that if P is RSA-insecure then it is generically-insecure. 

Suppose that P is RSA-insecure, then it has an insecurity tree f which con- 
tains atoms, P-nodes and possibly I-nodes and /j-nodes. Consider an application of 
a R-reduction sequence to the operator tree t, resulting in the operator tree m 0 . 
Consider the node in t that was not reduced during this reduction process (it is 



69 



labelled by m 0 ); and the path in t from the root to this node. Denote the nodes on 
this path by n Q ,n, ,n 2 , . . . , and nj . n 0 denotes t's root and n, the node labelled 
by mo which was not reduced in the reduction sequence. 

First note that the path which results from n 0 ,n[,...,n| by omitting all ft- 
nodes and I-nodes can be constructed by the saboteur S. It is left to show that 
this path (the path which results from n a ,ni ,...,n ( by omitting all n-nodes and I- 
nodes) is R-equivalent to m 0 . That is, that the P-nodes of this path can be paired 
in a non-interlacing manner such that the labels of the nodes of each pair are E x 
and D x (for some user X). 

Throughout the R-reduction process, consider the path between the current 
root and n, . Before the first reduction rule was applied this path consists of 
n 0 ,n x ,...,ni . Consider the application of the ith R-reduction rule. 

Case I: If the «'th rule is not RO then it does not cause the omission (or inser- 
tion) of any P-node in the path from the current root to n ( . Furthermore, it 
also does not change the order in which the P-nodes appear on the path from 
the current node to n, . 

[Note that we rely on the fact that n t was not omitted during the R-reduction 
sequence.] 

Case II: If the «' th rule is RO, but it is not applied to a node on the path from 
the current root to n ( , then it does not effect the nodes on this path. 

Case III: If the ith rule is RO and it is applied to ny which is on the path 
between the current root and n ( , then it causes the omission of and some 
n k . Note that both nodes are currently adjacent on the path between root 
and n, . In this case we pair the node n,- with the node n k . 

Note that in the end of the reduction process the path between the current root 
and n ( consists of a single node: n, . It is evident that we have paired all the P- 
nodes of the initial path between the root and n t so that the pairs do not interlace 
and the labels of the P-nodes of each pair are E x and D x for some X. 

We conclude by noting that concatenating the labels of the P-nodes on the 
initial path from root to n, forms an insecurity string of the protocol P. Thus, P 
is generically-insecure. 



QED 



70 



6. EXTENSIONS 

The definitions and results of the previous sections can be extended in three direc- 
tions: 

1) The security of ping-pong protocols over extended operator- alphabet. 

2) The security of multi-party ping-pong protocols. 

3) Insecurity as the ability to accomplish the effect of a specified operator word. 

In this extended abstract, we only deal with the last case. The first two cases will 
appear in the full version of this paper. 

Insecurity as the Ability to Apply a Specific Operator Word 

The insecurity definitions appearing in this paper can be rephrased as follows: 
Can a saboteur construct an operator tree which is equivalent, modulo a specific 
set of reduction rules, to the left inverse of the first word in the protocol (i.e. 
equivalent to a^A jB}' 1 ) ? [The reader is referred to subsection 4.4 for a definition 
of the set of operator trees which can be constructed by the saboteur.] 

Following [E], we generalize the above notions of security, and consider the 
following question: Can a saboteur construct an operator tree which is equivalent, 
modulo a specific set of reduction rules, to a specific operator word 01 
In case the saboteur can construct (using instances of the words of the protocol) 
such an operator word, we will say that the protocol is ^-insecure, otherwise we 
say that the protocol is /3-secure. 

Using the appropriate sets of reduction rules, we derive definitions for fi- 
RSA-insecurity and ^-generic-insecurity. (In the first the set of reduction rules 
consists of all R reductions, while in the second the set of reduction rules consists 
only of R0.) The proof of the Main Theorem can be modified to yield the follow- 
ing: 

Theorem 2: For every 0, a protocol is #-RSA-insecure iff it is /?-generically- 
insecure. 



7. CONCLUDING REMARKS 

In [D], Denning considered a signing protocol which consists of applying the 
user's decryption operator to the given document. Formally, this protocol consists 
of two phases: in the first one party S sends his counterparts (R ) a document m 
(to be signed); in the second phase R applies D R to m and replies with the result 
D R (m ), which is considered to be R 's signature to m . 



71 



Using the fact that the message space of the RSA forms a group and that the 
encryption function is a homomorphism of this group, Denning demonstrated (by 
methods of Davida [Da] and others) that the RSA implementation of the above 
protocol is insecure. Namely, that S can get R 's signature to message m without 
R being willing to sign m . 

The fact that the above protocol is Djj-RSA-insecure should be no surprise, 
since this protocol is obviously D s -generically-insecure. In the above protocol, R 
does not have the choice of which messages he signs since he is assumed to play 
the protocol for any initial message. In order to get R 's signature to m all 5" needs 
to do is to send m to R in the first phase. Thus, the weaknesses pointed out by 
Denning reflects only the weakness of the protocol she used, not a weakness of the 
RSA. Furthermore, 

Any successful attack on a ping-pong protocol which relies on the obvious 
properties of the RSA (listed in Sec. 2) can be transformed into a successful 
attack which works no matter which public-key cryptosystem is used to 
implement the protocol. 

In other words, generically-secure ping-pong protocols are immune against 
attacks which rely on the obvious properties of the RSA. 

ACKNOWLEDGEMENT 

We wish to thank Silvio Micali for many intriguing discussions concerning the 
security of cryptographic protocols. 

REFERENCES 

[ACGM] 

Awerbuch B., Chor B., Goldwasser S., and Micali S., "Verifiable Secret Shar- 
ing and Achieving Simultaneity in the Presence of Faults", Proc. of the 24th 
IEEE Symp. on Foundation of Computer Science, 

[BGMR] 

Ben-Or, M., Goldreich, O., Micali, S., and Rivest, R.L., "A Fair Protocol for 
Signing Contracts", Proc. of the 12th ICALP, Lecture Note in Computer Sci- 
ence (194) Springer Verlag, 1985, pp. 43-52. 

[CR] Church, A., and Rosser, J.B., "Some Properties of Conversion", Trans. Amer. 
Math. Soc. 39, (1936), pp. 472-482. 

[CF] Cohen J.D., and Fischer, M.J., "A Robust and Verifiable Cryptographically 
Secure Election Scheme", Proc. of the 24th IEEE Symp. on Foundation of 
Computer Science, 



72 



[Da] Davida G.I., "Chosen Signature Cryptoanalysis of the RSA (MIT) Public Key 
Cryptosystem" , Tech. Rep. TR-CS-82-2, Dept. of Electrical Engineering and 
Computer Science, Univ. of Wisconsin, Milwaukee, WT, Oct. 1982. 

[D] Denning D.E., "Digital Signatures with RSA and Other Public-Key Cryp- 
tosystems", Comm. of the ACM, Vol. 27, April 1984, pp. 388-392. 

[DLM] 

DeMillo, R., Lynch, N., and Merritt, M., "Cryptographic Protocols", Proc. of 
the 14th ACM Symp. on Theory of Computation, 1982, pp. 383-400. 

[DHj Diffie, W., and Hellman, M.E., "New Directions in Cryptography", IEEE 
Trans, on Inform. Theory, Vol. IT-22, No. 6, November 1976, pp. 644-654. 

[DEK] 

Dolev, D., Even, S., and Karp, R.M., "On the Security of Ping-Pong Proto- 
cols", Inform, and Control, Vol. 55, 1982, pp. 57-68. 

[DY] Dolev, D., and Yao, A.C., "On the Security of Public-Key Protocols", IEEE 
Trans, on Inform. Theory, Vol. IT-29, 1983, pp. 198-208. 

[E] Even, S., "On the Complexity of Some Word Problems that Arise in Testing 
the Security of Protocols", presented in NATO Advanced Research Workshop 
on Combinatorial Algorithms on Words, Maratea, Italy, June 1984. 

[EG] Even, S., and Goldreich, O., "On the Security of Multi-Party Ping-Pong Pro- 
tocols", Proc. of the 24th IEEE Symp. on Foundation of Computer Science, 
1983, pp. 34-39. 

[EGL] 

Even, S., Goldreich, O., and Lempel, A., "A Randomized Protocol for Signing 
Contracts", Comm. of the ACM, Vol. 28, No. 6, pp. 637-647, 1985. 
(GHY] 

Galil Z., Haber S., and Yung M., "A Private Interactive Test of a Boolean 
Predicate and Minimum-Knowledge Public-Key Cryptosystems", Proc. of the 
24th IEEE Symp. on Foundation of Computer Science, 
[GMR] 

Goldwasser, S., Micali, S., and Rackoff, C, "The Knowledge Complexity of 
Interactive Proof Systems", Proc. of the 17th ACM Symp. on Theory of Com- 
putation, 1985, pp. 291-304. 
[LMR] 

Luby, M., Micali, S., and Rackoff, C, "How to Simultaneously Exchange a 
Secret Bit by Flipping a Symmetrically-Biased Coin", Proc. of the 24th IEEE 
Symp. on Foundation of Computer Science, 1983, pp. 11-21. 

[NS] Needham, R.M., and Schroeder, M.D., "Using Encryption for Authentication 
in Large Networks of Computers", Comm. of the ACM, Vol. 21, No. 12, 1978, 
pp. 993-999. 

[RSA] 

Rivest, R.L., Shamir, A., and Adleman, L., "A Method for Obtaining Digital 
Signatures and Public Key Cryptosystems", Comm. of the ACM, Vol. 21, 
February 1978, pp. 120-126. 

[R] Rosen, B.K., "Tree-Manipulation Systems and Church-Rosser Theorems", 
Jour, of the ACM, Vol. 20, No. 1, January 1973, pp. 160-187. 



A Secure Poker Protocol 
that Minimizes the Effect of Player Coalitions 



Claude Crepeau 

D€partement d'informatique et tie recherche operationnelle 
University de Montreal 
CP. 6128 succursale "A", Montreal 
Quebec, Canada, H3C 3J7 



1. Introduction 



What can we expect from a poker protocol? How close to reality can we come? 

From the outset of this research , we realized that a cryptographic protocol could achieve more 
security than its real life counterpart (with physical cards). But every protocol proposed until now 
was far from offering all the possibilities of a real deck of cards or could not acheive the full security 
we were expecting. 

Since Shamir, Rivest and Adleman first stated a solution to the mental poker problem [SRA] , 
many protocols trying to implement a fully secure game have been proposed. Although SRA proved 
in the two player case that such a solution is not possible from an information theoretic point of 
view, such solutions might be possible when the players' computational power is limited. The leak- 
age of partial information, found by Lipton [Li], in the initial SRA protocol was fixed by 
Goldwasser & Micali [GM1], in the two player case, using probabilistic encryption. Unfortunately 
this scheme did not extend to a larger number of players. No complete solution to the multi-player 
version of the problem is yet known. All proposals make special assumptions, like the players' inabil- 
ity to establish secret communications [Yu]&[BF] or the existence of a trusted third party [FM]. 

To conceive a complete poker protocol, some constraints must be followed : 

• Uniqueness of cards 

• Uniform random distribution of cards 

• Absence of trusted third party 

• Cheating detection with a very high probability 

• Complete confidentiality of cards 

• Minimal effect of coalitions 

• Complete confidentiality of strategy 

Each card must appear once and only once, either in the deck or in the hand of one player. The 
only case when a card may appear more than once must be the result of some detectable cheating. 

The hand of each player must depend on decisions made by every players, so that none of them 
has any control on his hand or on his opponents'. Every possible hand must have an equal probability 
and be accessible to all players. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 73-86, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



74 



No trusted party may be assumed, since any human can be bribed, and no machinery is entirely 
safe because no tamper proof device can be achieved. 

Any attempt to cheat must be detected. The probability that a player may cheat without being 
detected must decrease very fast (exponentially) with respect to some security parameter that the 
players must decide before the game. Also the amount of work to accomplish the protocol should 
increase reasonably (polynomially) with respect to this parameter. The value of this parameter will 
depend on the confidence the players have towards each other, and the maximum computation power 
they can achieve. 

No partial or total information about any card from the deck may be obtainable without the 
aproval of every opponent Also, no information may be obtained from a player's hand without his 
approval. 

When more than two players are involved, some players could establish secret communication 
and exchange all their knowledge about the game, the protocol or any secret data involved in the pro- 
tocol. Notheless they should not be able to take advantage of this. This information should be 
equivalent to the cards they separatly have in their hands. In other words, as long as one player is not 
cheating, nobody can learn more about his hand, or about the cards in the deck, than what they can 
deduce from the cards in their coalition. 

Finally, it is strategicly very important in the game of poker that the loosing players may keep 
their cards secret at the end of a hand. All the concept of bluffing is based on this fact. Therefore, an 
ideal protocol should neither force the players to reveal their hands nor any information leading to 
some knowledge about them. 

Our protocol fully implements a secure game achieving the first six properties. Only the 
confidentiality of the strategy remains unsolved, as all players will be requested to reveal all their 
information in the detection of cheating phase of this protocol. 

This protocol is based on the implementation of the new concept of Hiding-Revealing transac- 
tions. These transactions enable a party A to pick a value from a set known to a party B without let- 
ting B know which element A has picked. 

Our multi-player protocol is a direct extension of our two player version. Let us first describe 
this simplified protocol. Suppose that P i and P 2 want to play a fair game of poker. Assume that each 
of them will cheat if he can do so (without being detected). 

Assume a correspondance between the cards and the set {1,2,3,.. .,51,52}. So from now on, 
numbers from 1 to 52 will be used to describe the cards themselves. 

2. Cards shuffling 

To shuffle the deck of cards picks at random a permutation jij of {1,2,3,.. .,5 1,52} and Pi 
picks % 2 - Accessing any card will be done via these two permutations. Each player P, locks his per- 
mutation it, using a locking function that must satisfy some special properties described below (which 
two well known cryptosystems will be shown to satisfy). Then P t posts the locked version of Jt,-. A 
card will be accessed by ^(n^/t)) for k e {1,2,3,...,51,52}. Since a player doesn't know the permuta- 
tion of his opponent , the value ^(rc^i)) cannot be predicted by either player. To get a card, a player 



75 



would like to compute Tr^n^fc)) from k and the encoded permutations (with the collaboration of his 
opponent) without revealing the outcome of his calculation. This is clearly easy for P^, but tricky for 

Pi- 

3. Requirements 

To play the game, each player will have to pick four functions, {L,UJ1Ji) according to the rules 
described below. Briefly, these functions will be used in the protocol to transfer information from one 
player to another. Suppose a player owns a set of values V. He will show a perfectly hiden version of 
his elements using the locking function L. The opponent will be able to select a value from V, 
without revealing which one, by choosing a locked element c, hiding it with H, asking the first player 
to use U in order to release some trap-door information about H(c), and finally inverting the hiding 
he did previously, using R on U(H(c)) to read the value he has chosen. If H and R have some 
"good" properties, then the owner of the set V will not be able to determine the value chosen by his 
opponent, nor will his opponent leam anything on the other values in V. 

The following properties summarize sufficient conditions to built our protocol. This general 
approach is followed by two fundamentally different implementations. The presentation is done in a 
general framework in order to avoid mixing practical implementation details with the high level 
aspects of the scheme. 

Let V be the value space ( in this case {1,2,3,. ..,51,52} c V ). 

Let 5 be the seed space. 

Let C be the coded (locked) message space. 

Let K be the unlocking key space. 

Let M be the mask space. 

Let A be the ambiguous value space. 



(the full meaning of the following properties will become clear in the next sections) 

1) Vv^e^Vs^eS, I(v 1 ,s 1 )=L(v 2 ,i 2 ) => 

2) \fve V,Vpse S, it is computationally infeasible to compute any information about v from Uyj). 

3) Vvs V,\j^g S, it is computationally infeasible to compute s from v and L(v,s). 



Define 



L:VxS-*C 
UA->K 
H:MxC-*A 
R:MxCxK^>V 



(locking function) 
(unlocking function) 
(hiding function) 
(revealing function) 



such that 



4) WnsM,VveV,VseS, ^(m^(v,j),[/(//(m/,(v, S ))))=v 



76 

5) VaeA.W^e V.Vs^eS, #{mz.M\H{mMvi,s {))="} = #{msM\H{mM^i))=a}- 

6) Vve V,ty(m,s)eMxS, it is computationally infeasible to compute m given H(mM v ^)) 311(1 £( v .- ? )- 

7) Their exists some polynomial time algorithm for each of L,UJiJi, but U 

includes trap-door information which is computationally infeasible to derive from LJHJi. 

Here VpteX means: 

"for all xeX, except a number of elements smaller than any polynomial fraction in log(#X)". 
4. Protocol 

Assuming the existence of such functions (two implementations are given later), we describe our 
protocol. Let ie {1,2}. 

Preparation Protocol 

Each player P t : 

Step 1. Defines V^C^iMiAr 

Step 2. Defines ^,17^^. 

Step 3. Picks jr.; a permutation of {1,2,. ..,52}. 

Step 4. Posts LiMiJii- 

Step 5. Picks i^i^^' • • • > s i^2 e ^i at random. 
Step 6. Posts yv^it/v)^,), l<v<52. 



From property 2, revealing L 1 <7t ) <v)^ iiV ),l<vS52, leaks no information on 7t;(v). But since only 52 
values are possible for 7t;(v), it would be easy to determine Jt,{v) from s i v if the latter were easily 
computable, by comparing L I (!> I> ) r L i (2,s 1 - v ),...^. i (52,i, > ) with /,{v). This is why property 3 is essential. 

Initially, every ve {1,2,3, ...,52} is marked as "free". Suppose P 2 wants to get a card, 

Card Reading Protocol 1 

Step 1. F 2 picks at random a "free" value v e {1,2,3,.. .,52} 

and marks v as "used". 
Step 2. P 2 asks P x for the value of iii(v). 
Step 3. P] reveals n^v) to P 2 - 

Step 4. P 2 secretly computes n^Crc^v)), which is his card. 



At the end of the game, P x will be able to produce a proof that the value revealed (Jt^v)) was 
correct by showing s ljV so that P 2 can compare L 1 (jr 1 (v)^ 1 J with ^(v). P x cannot cheat on this, since 
/i(v) uniquely determines iti(v) by property 1. 



77 



At the end of the game, if P 2 claims to have the card it 2 (jt,(v)) in his hand, he will be able to 
produce a proof of this by revealing S2,n,(v) so ^ ^1 can ^ STi compare ^(^(^(v)),^,!,^)) with 
l z( K ii v ))- Again, P 2 cannot cheat on this, due to property 1. So this transaction is fully secured. 

Now suppose Pj wants to get a card, 

Card Reading Protocol 2a (not sufficient in general) 

Step 1. F, picks at random a "free" ve {1,2,3,.. .,52} 

and marks it as "used". 
Step 2. P[ secretly computes K^v). 
Step 3. /*! picks meM 2 and computes h=H 2 (.m,l 2 (ji l (v))). 
Step 4. P l asks P 2 to compute the key k to h. 
Step 5. P 2 returns k=U 2 (h) to f L 

Step 6. Pi computes: R 2 {m,l 2 {TZ ] (y)),k.) = ^friOO) { by property 4 }. 



Since H has property 5, P 2 gets strictly no information on jt^v) from h since any of the / 2 's 
may have been used with equal probability. 

We call this (Step 3 to Step 6) a Hiding-Revealing transaction between P x and P 2 . In this tran- 
saction P 2 has revealed a secret value to P h namely n 2 (ic 1 (v)), without knowing which one he has 
given away. At the end of the game P { will be able to check this transaction when asking P 2 to 
reveal s 2iIIl ( v ) > can compare ^(^(Jtjfv)),!^,^)) with tyfaiiy))- The only remaining problem is 
proving to P 2 that Pi did not fool him in making him decode something else than H 2 (m,l 2 (Ki{v))) ■ 
How can we force P± to respect the protocol? 

First, let us see how P 1 could cheat. Suppose P 1 asks P 2 to decode /i'=// 2 (m,/ 2 (7i 1 (v'))) for v'*v, 
instead of h. Then P x will get Jt^OtiCv')) when claiming he has been accessing re 2 (jt 1 (v)). This could 
be interesting for Pj, for instance, if v' is marked as "used" because 7t 2 (' t l( v ')) ' s m f act a carc ^ m 
P 2 's hand. This would allow P 1 to know one card of his opponent, at cost of not knowing one of his 
own. But at the end of the game, P t will not know what ^(jt^v)) is. So if P\ is asked to reveal all 
the cards he should have accessed, he won't be able to do so. ( In fact P x may decide to access the 
card later in the game but in that case the problem will carry over to this new card he pretends to 
read ). 

But P { could be more subtle than that He could try to get partial information on many cards at 
once. Maybe Pj claims to follow the protocol, when in fact he is asking P 2 to decode some special 
value £=G(/ 2 (l),...,/ 2 (52)) instead of h, hoping that G'(l 2 (l),...J 2 (52),U 2 (g)) returns relevant informa- 
tion (partial or total) on more than one entry of 7l 2 , for some easily computable functions G:C S2 -*A, 
G'-.C^xK-^V 52 he has discovered. This way, he might find out what % 2 (k 1 (v)) is and get additional 
knowledge on some other cards. 

Our general solution to this problem takes advantage of property 6. P 2 will ask P u at the end of 
the game, to reveal it[(v), s l y and m. This allows P 2 to compare l x iy) with L^Jt^v)^^,,) and h with 
H 2 (mJ 2 (ni(v))). But this is not yet a proof of Pi's fairness. Maybe P t computed m after he received 



78 



the answer k in Step 5. 

Suppose Pi uses g as defined earlier. Afetr he gets k=U 2 (g) from P 2 , maybe he can deduce 
7t2(Jti(v)), additional information on K2, and some m such that g=H 2 (m,I 2 (Ki(y))). However, if we 
force P t to publish a coded copy of m before making Step 4 of the transaction, then to prove a fair 
access to 7t2(7ti(v)), P i would have had to compute m before learning k. But this is not possible from 
property 6 because from g and l 2 (Ki(v)), ^1 cannot compute m. So P x is fair if and only if he knew 
m before the value of k was revealed to him. 

To implement this solution, we use a (possibily trap-door), public one-way function that 
hides all partial information on its inputs and add one step to our protocol (notice that this 
modification is not necessary for one of the implementations proposed in section 5) : 

Card Reading Protocol 2b 

Step 1. />j picks at random a "free" ve {1,2,3,.. .,52} 

and marks it as "used". 
Step 2. Pi secretly computes Tti(y). 
Step 3. P x picks rneM 2 and computes h=H 2 (m,l2(. n i( v )))- 
Step 4. Pi asks P 2 to compute the key k to h. 
Step 4a..Pi posts Oi(m). 
Step 5. P 2 returns k=U 2 (h) to P v 
Step 6. Pi computes: R 2 (m,l 2 {K x (yy),k) = jr^Tt^v)). 



This way, P 2 can check later that Pi knew m before Step 4 of the transaction. The fact that the 
one-way function hides all partial information is important. In some implementations it is possible for 
P 2 to compute {m\li, 1 < 1 <. 52 such that H2(m,l 2 (i))=h}. If Oj did leak some information, then the 
correct m could be found or the set of possible candidates could be reduced, according to the leaked 
information, and P 2 would gain some knowledge about Jt^v). 

During the game, cards can be picked from the deck or discarded just by marking (with "used" 
or "discarded" .respectivly) the appropriate element in {1,2,3,— >52}. (e.g. to discard 7t 2 (^i(v)) just 
mark v as "discarded".) 

At the end of the game all secret information must be published as proofs of fairness of the 
players. But some care must be taken in the implementations where the 0; functions are not used, to 
avoid revealing some secret item too soon. Otherwise a cheating opponent could forge a fairness 
proof from what he just learned. So, proofs of fairness must be done in the following way. To 
prevent a cheater from forging a proof, each player must execute Step 1 before anyone does Step 2 
since Step 2 is used to prove that the values revealed in Step 1 were the correct ones. Also each one 
must execute Step 2 before anyone does Step 3 since learning the j's may be a clue to the successful 
forging of m. 



79 



Proof of Fairness Protocol 



Each player reveals: 

Step 1. Jt 1 (v),7t2(JEi(v)) for each v he has accessed. 

Step 2. All meM used for some Hiding-Revealing operations. 

Step 3. 7Ci(v) and s iiV ,1 < v < 52. 



This enables the opponent to check the transactions and to be sure that no cheating took place. 
The generalization to more than two players is found in section 6. 

5. Implementations 

We now propose two implementations of this protocol. The first is based on RSA [RSA] and the 
efficient probabilistic encryption scheme of Blum & Goldwasser (BG) [BG]. The second is based on 
the probabilistic encryption scheme of Goldwasser & Micali (GM) [GM]. This first version matches 
the general partem given above. 

5.1. Using RSA/BG. 

Let P be one of the players. P selects p,q two larges primes; large enough for the least 6 RSA bits 
to be l/2+(l/poly(log(p<7)))-secure ( see [CG] ). Let n=pq. P selects e,5 such that e5 s 1 (mod 4>(n)). 
Then define V={0,1,2,3,...,63}, S=iC=M=A=Z*. C=VxS. (xin) denotes the least n significant bits of x 
and © denotes the bit-by-bit exclusive-OR. 

Functions 



L(v^)=((sl6) © v,(^ mod «)) 
C/(c)=(s(c) 5 mod n) 
H(m,c)=(m £ s(c) mod n)) 
i?(m,cjfc)=(((»« -1 *) mod n)l6) © v(c) 
<9(m)=BG(m,j) 



Where m~ l is the multiplicative inverse of m (mod n) and c=(v(c),s(c)). BG is the Blum- 
Goldwasser encryption function (see [BG]); in this implementation, one can use BG in the following 
way. P picks a random s 0 gS, and compute s k =st_ x mod n, 1 < k <, (\n{/6). P then posts and 
<(s 0 l6)(s 1 l6)...(sm- i l6)> © m. Here <...> denotes the concatenation of the given blocks of 6 bits. 
According to [BG], no partial information about m can efficiently be computed from these two public 
values. At the end of the game P will have to reveal s, then everybody will be able to compute 
s h s 2 ,... and recover m by inverting the © . It will also be possible to check that this is the correct s Q 
since jjji is uniquely decodable. 

6 



80 



Theorem: L,UJfjR satisfy properties 1 to 7 (assuming inverting RSA is hard). 



Proof: 



1) ^!, v 2 e V.Vs^eS, L(vi,j,)=±(v 2 ,i 2 ) 

=>((S[4.6) © v 1; (4 mod i))=((j2-l-6) © v 2 ,(s| mod n)) 
=>(jl mod »)=(s§ m od n) and (Ji-t6) ffi V!=(j 2 i6) © v 2 

=>v 1= v 2 

2) Since the 6 least significant bits of s are l/2+(l/poly(log(n)))-secure. 

3) RSA is assumed hard to invert. Being given the last 6 bits of s can at best speed up 
finding s by a factor of 64. 

4) Vme,VveV,YseS, H(mMvj)) - ((m¥) mod n) = ((ms) E mod re) 
=>l/(H(m,L(v,r)))=(mj) mod n 

=>R(mMvj),U(H{mJL(yj)))) =((m _1 (mi mod n) mod n)J.6) © (sl6) © v 
=((j mod n)l6) © ((s mod n)4-6) © v = v 

5) We V,Vrs5,Vae>l, {meM] //(m/,(v^))=<j}={meM|(7?u) E mod n=a} 

={a 5 J _1 mod n} 

6) Suppose we have xeZ*. If a polynomial fraction in log(#A/xQ values of H(m,c) were 
easy to invert given c, then we could choose af=s(c^>jx for polynomially many random 
c h r k and with a very high probability, find a solution to a <j =/f(m,c 44 ) (Ay is one of the 
values attempted), using that inversion algorithm. One can check that mrj^ would then be a 
solution to (mr^ 1 ) 6 ?! {mod n). This would imply we can invert RSA. 



7) Clearly L y UJifi are easy to compute. 
□ 



In this first implementation we need O to solve the cheating problem. But in this next one, no 
O is required. Data expansion may be greater in this second version but the simplicity obtained worth 
the difference. 

5.2. Using Probabilistic Encryption (GM). 



Let P be one of the players. P selects p,q two larges primes. Let n=pq. P selects r| such that 



-1. ( where 



is the Legendre symbol of x over p ). Then define 



V=A>{0,1} 6 ={0,1,2,3,...,63}, S=(X) 6 , C=A=z;[+l] 6 and M=Vx5. ( where <[+l]={x[xe ^ & 



=+1} and 



is the Jacobi symbol of x over n ) 



81 



Denote x=(xi^ 2 ^c- ir K^ 5 ^c 6 )sX,yvhcic (x,X) is any of (v,V),(c,C),(j^),(/t^r) or (a,A). Denote also 
m=(v{m)j(m))<sM=VxS and (c ® c')j = {cf'j mod n). 

Functions 



L(v,j)=(X(v 1 ^ 1 ),5i(v 2 ,j 2 ),5l(v3^3),1(v4^4),X.(v 5 ,j 5 ),X(v 6 ,s 6 )) 

f/( C 2)=(D(a 1 )^(i2),'U(a3) ) 'u(a4)^( a 5)^( £Z 6)) 
H{m,c)=L(m) ® c 



, JO if -e is a quadratic residue mod n 

Where Mx,y)=y*if mod n and n(jc)=i, .... , „. .. , . Note that these functions 
v J 1 v ' [1 if x ;j not a quadratic residue mod n 

are inspired by those defined in [GM2]. 

Theorem: L,U,HJR satisfy properties 1 to 7. (assuming the quadratic residuosity assump- 
tion (QRA)) 

Proof: 

lJVv/eV.Vr/eS, L(v^)=L(v'^s') 
=>v=v' since GM is uniquely decodable. 

2) Known property under QRA. (see [GM2]) 

3) True under QRA. Because the ability to compute j from v and L(vj) would allow to 
extract square roots, hence factor n wich is hard under QRA. 

4) \keV,\lsGSymeM,R{mMvf),U{H(piMvf)))) 
=v(m) © U(H(mJL(yf))) 

=v(m) © v(m) © v since v(s(m)fv^ m) '^ Vl )=v{m)j © v p 1 < j < 6 
=v 

5) VvEV,VreS,VaeA, {meM\ H(m/,(v^))=a}={rae M\Um) ® L(v,j)=a} 
={weM|j(m)?n v<m)j mod n^V"' mod n,lS;'<6} 

={meMls(m)jV ( "° J mod n=x/n, v ' > mod n, 1 <y < 6} with tttjV^//' where is a qua- 
dratic residue mod n. 
={meM\s(mjf=Xj and v(m)=v' ; -, 1 < y < 6} 
But each of these 6 equations have 4 solutions. 
So #{meM\ //(m/^v^))=a}=4 6 . 

6) Suppose we have is^[+l]. If a polynomial fraction in log(#MxC) values of #(m,c) 
were easy to invert given c, then we could choose a^i=ct,i^i' r l V "''- r mod n, with 
a fc2> a fc,3> a jt,4'' 3 *,5' a *.6 random numbers in Z*[+l], for polynomially many random c^^v^ 
and with a very high probability, find a solution to a^/^m,^ (£ 0 is one of the values 



82 



attempted), using that inversion algorithm. One can check that ms^ 1 ^ v would then be a 

—1 7 v l( m )~" v i n ,l 

solution to (*t 0 ,iSi('n))Tl sx (mod n). This would imply we can decide quadratic 

residuosity (mod n) (in contradiction with QRA). 

7) Clearly L,UJiJt are easy to compute. 
□ 

This implementation is particular because no encoding of me M is needed to prove that someone 
knew m before using it in the Hiding-Revealing transaction. This is because of the next result: 

Theorem: m cannot be computed from U{H{m,c)) and c, for any meM,ce C. 
Proof: U(H(m,c)) is independent of s(m). 

Suppose Pj makes a hiding-revealing transaction with P t . If he doesn't know m before the tran- 
saction he cannot know it after since s(m) cannot be computed from U(H(m,c)). So to prove that he 
knew m before the transaction, Pj just has to prove he knows it at the end of the game, since nothing 
has revealed this value to him after the transaction or later in the game. 

6. Multi-Player protocol 

We now extend the previous protocol to the multi-player problem. Suppose that Pxft, ■ ■ ■ fj 
want to play poker. The preparation protocol is identical to the two-player version. A card will be 
accessed as npz^iiK^-Oh^i^)))-))) for ve {1,2,3,..., 52}. Suppose P n , ne{l,2,...J} wants to get 
a card. 

Card reading Protocol 3 

Step 1. P n picks at random ve {1,2,3,..., 52} 

and marks it as "used". 
Step 2. vj=v 

Step 3. FOR i=l TO n-1 DO 

Step 3.1 P„ asks P t to reveal Jt^v;); 

Step 3.2 Pi answers 7t,-(v;) publicly; 

Step 3.3 P n sets v^^v^; 

Step 4. P n secretly computes v m .y= s ^ l fy^; 

Step 5. FOR »'=n+l TO; DO 

Step 5.1 P n secretly gets v^^^Vj) 

using the Hiding-Revealing protocol with P^, 
Step 6. P n 's new card is 



83 



This way, P n computes Vy +1 =%y(i^_ 1 (7c^_ 2 (...(i:2(JC 1 (v))).-.))) and nobody except himself knows 
v rn-i>'-> v ji v f+i- All the proofs of fairness described in the two-player version can be used again in the 
multi-player case. Again depending on the implementation, 0,'s may be needed to obtain proofs of 
fairness in the Hiding-Revealing protocol. Finally the order of revelations at the end of the game 
must be the same as in the protocol for two players when those O/s are not used. 

7. Security against player coalitions 

The main improvement of this protocol is protection against coalitions. If some players form a 
coalition, they will not get any advantage from it, other than learning each other's hand. Since every 
card is accessed through each permutation, no subset of the players can know anything about the 
cards of the other players, other than knowing that they are not the cards within the coalition. 
Assume some player P t is not a member of a coalition (by this we mean that P t does not reveal any 
private information to any other player), then by the construction of the protocol we know that the 
values v j4 . 1 ,...,v > -,y^. 1 are secret and known only to himself for each of his cards. Since the v^'s actu- 
ally identify his cards, nobody has any information on them (unless someone has not followed the 
protocol but in that case he will be detected at the end of the game). Similarly, no coalition can 
influence the cards drawn by an honest player. 

8. Playing other games 

Our new protocol can be extended to play almost any card game, as well as other kind of 
games, such as Scrabble. Fortune and Merrit [FM] mentioned games that could not be played with 
their protocol. With our protocol, one can play any game where cards have to be exchanged between 
players more than once, or where cards may be dealt and discarded many times. Suppose for instance 
that P n wants to get a card from P^s hand. 

Card exchange Protocol 

Step 1. Pi reveals, in a random order, a locked version of his cards 

(Z, 1 (x,j. t ) for each card x in his hand, with a random seed s x e £;). 

Step 2. P„ picks one of them .tells which one to P { 

Step 3. Pi returns L n (x,s) with a random seed se S n 
where x is the card P n wants. 

Step 4. P„ recovers x using H n ,U n Jt n . 



This way, only P t and P n know which card was exchanged. In fact, everybody will be able to 
check this operation at the end of the game when P t reveals the s^'s. Also no information, like the 
identity of the previous players who ever had the card, is embedded with it. One might think that the 
following solution is sufficient, but if fact it is not. P N picks a value that P; claims as "used" and 
reads it using the Hinding-Revealing protocol. P n has to inform P, of which card he has picked so, 
that Pi knows that this card is no longer in his hand. But if later P ; have to pick a card from P„'s 



84 



hand, he will be able to choose the same card P n had picked before since he knows how to access it. 

One can notice a problem with discarding in our standard protocol if the game played allows 
several dealing and discarding of cards. Suppose cards were dealt and then some were discarded. 
Suppose we deal some more cards and then discard some of the cards in our new hands (there are 
variants of poker in which players may ask twice to change cards). On the second discarding opera- 
tion each player knows if the discarded cards of his opponents, come from the initial hand or from 

the new one dealt, since the "discard" markers are tagged on to the public values ve {1,2 52}. This 

information may be compromising. To solve this, a card should be discarded by revealing a coded 
version of it and declaring it discarded (This idea was introduced in [Yu]). If P i wants to discard the 
card Jt,(7^_ 1 (7^_2(- ( It 2( 7C i( v ))) - )))> instead of marking v as "discarded", he does the following: 

Discarding Protocol 



P ; posts L,(v^) for some seS i and declares it "discarded". 



At the end of the game, when P, reveals v and s, the other players will be able to. determine 
which cards Pi has accessed, which are still in his hand and which were discarded during the game. 
Just like in the exchange of cards, this reveals no information on its origin. 

Another interesting feature of this protocol is the ability to return cards into the deck. Initially, 
each player goes through the Preparation Protocol, exactly as before and uses the other protocols for 
the other standard operations. Suppose that some players (maybe only one) want to return some 
cards (maybe only one) into the deck for the n' k time. It would not suffice to change their marks 
from "used" to "free" because this would allow the next person who select one of these cards to 
know that it had been in someone's hand previously. The entire deck, including the cards just 
returned to it, must be re-shuffled by: 

Card Returning ProtocoKpart 1) 

Each player Pf. 

Step 1. Picks 7t ijn a new permutation of {1,2,... ,52}. 
Step 2. Picks •s UiW J ii2iB , . . . A,- 104 , n e S, at random. 
Step 3. Posts liJv^Lfa^v)^^, 1 < v < 52. 
Step 4. Posts /^(v+52)=L ; (7ir>),Ji,v+52,,,), 1 < v < 52. 
Step 5. Sets TC~=7t i>n 



When this is all done, the players will have to read backwards the new origin of the cards they 
have under their control (in their hands and among those they have discarded). They will not be able 
to cheat on this since the other players will check the correspondance between the cards had under 
each of the 



85 



Card returning Protocolfpart 2) 

Each player P;, for each card c under his control he wishes to keep, 

Step 1. sets Cj=c 

Step 2. FOR t=j DOWNTO j+l 

Step 2.1 Reads KfJ,(ci) using the Hiding-Revealing protocol with P, ; 

Step 2.2 Sets c M =7i^(c,); 

Step 3. Sets c^^tc;); 

Step 4. FOR /=i-l DOWNTO 1 

Step 4.1 Reads 7t^(C;) using the Hiding-Revealing protocol with P t ; 

Step 4.2 Sets c;_i=^(c ; ); 

Step 5. Declares c 0 (the origin of c) as "used". 



These operations can all be verified when the 7T,_ n 's and the sy^'s for 1 < / < 104, are revealed. 
Notice that this feature enables the implentation of:"a Scrabble Protocol that minimizes the effect of 
player coalitions". To do this, change cards into letters and the deck into the box of letters. Then the 
dealing of letters is similar to the dealing of cards and so on... But since letters can be returned into 
the box, this last feature is necessary to implement that game. 

9. Open Problem 

Nothing is quite perfect There is one thing our protocol cannot do. The strategy of each player 
is completely revealed at the end of each game since our protocol asks everyone to show every infor- 
mation involved in the protocol. It makes it impossible for the players to bluff. Real poker players 
would never accept to play such a game. Although whe believe such a protocol can be achieved, we 
do not have a complete solution yet 

10. Acknowledgements 

I wish to thank Gilles Brassard, Pierre McKenzie and Jean-Marc Robert for fruitfull discussions 
and for the numerous comments they made on the protocols. 

11. REFERENCES 

[BF] Banary, I. and Furedi, Z. "Mental Poker with Three or More Players", in Information and 
Control, 59 (1983), pp. 84-93. 

[BG] Blum, M. and Goldwasser, S. "An Efficient Probabilistic Public-Key Encryption Scheme 
which Hides All Partial Information", in Advances in Cryptology: Proc. of Crypto 84, G. R. 
Blakley and D. Chaum, eds., Lecture Notes in Computer Science 196, Springer- Verlag, 
Berlin, 1985, pp.289-299. 

[CG] Chor, B. and Goldreich, O., "RSA/Rabin Least Significant Bits Are l/2-t-l/poly(log n) 
Secure", in Advances in Cryptology: Proc. of Crypto 84, G. R. Blakley and D. Chaum, eds., 
Lecture Notes in Computer Science 196, Springer-Verlag, Berlin, 1985, pp.303-313. 



86 



[FM] Fortune, S. and Merrit, M., "Poker Protocols", in Advances in Cryptology: Proc. of Crypto 
84, G. R. Blakley and D. Chaum, eds., Lecture Notes in Computer Science 196, Springer- 
Verlag, Berlin, 1985, pp.454-464. 

[GM1] Goldwasser, S. and Micali S., "Probabilistic Encryption and How to Play Mental Poker 
Keeping Secret All Partial Information", in Proceedings of the 14th Annual ACM symp. on 
Theory of computing, ACM-SIGACT, May 1982, pp. 365-377. 

[GM2] Goldwasser, S. and Micali S., "Probabilistic Encryption", in /. Comput. System Sci., 28 
(1984), pp. 270-299. 

[RSA] Rivest, R., Shamir, A. and Adleman L., "A Method for Obtaining Digital Signatures and 
Public-Key Cryptosy stems", in Communications of the ACM 21,2 (February 1978), pp. 
120-126. 

[SRA] Shamir, A., Rivest R. and Adleman L., "Mental Poker", MIT Technical Report, 1978. 

[Yu] Yung, M., "Cryptoprotocols: Subscription to a Public Key, The Secret Blocking and the 
Multi-Player Mental Poker Game", in Advances in Cryptology: Proc. of Crypto 84, G. R. 
Blakley and D. Chaum, eds., Lecture Notes in Computer Science 196, Springer- Verlag, 
Berlin, 1985, pp.439-453. 



A Framework for the Study of Cryptographic Protocols 

Richard Berger (*) 
Sampath Kannan (**) 
Rene Peralta (*") 

Computer Science Division 
University of California 
Berkeley, California. 



ABSTRACT 

We develop a simple model of computation under which to study the meaning of 
cryptographic protocol and security. We define a protocol as a mathematical object and 
security as a possible property of this object. Having formalized the concept of a secure 
protocol we study its general properties. We back up our contention that the model is 
reasonable by solving some well known cryptography problems within the framework of 
the model. 

1. Introduction. 

It can be argued that cryptographers have been able to provide satisfactory solutions to only the 
simplest among the problems involving transactions between mutually suspicious parties. In this category 
lie problems like flipping coins [1], exchange of a single bit [2] (or a fraction of a bit [3]), demonstrating the 
truth of some boolean predicates on the secret keys [4], and the Oblivious Transfer [5] [6]. Harder problems 

(*) Research sponsored in part by GTE fellowship, I'*) Research sponsored by the Helen and George 
Pardee Fellowship (•••) Research sponsored in part by NSF grant MCS-82-04506 and by Universidad 
Catolica de Chile. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 87-103, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



88 



which in our opinion have not been completely solved include exchange of secret keys [7], certified mail [8], 
contract signing [9], and mental poker [10] [11]. The published solutions to the latter problems either have 
not been proven secure or use the cryptographic definition of one-way function. Cryptographers use the term 
one-way function to mean a function which has whatever it takes to make its use in cryptographic protocols 
secure. In particular, (cryptographic) one-way functions reveal no partial information about their inverse 
value. Even though one-way functions are useful theoretical objects, the actual encryption functions 
available in the literature are not one-way functions in this strong sense. Even the probabilistic encryption 
methods of Blum, Blum, and Shub [12] [13] have not been shown secure under multiple encryptions of the 
same message or of functionally related messages. It is not clear that there exists secure solutions for the 
harder problems mentioned above which assume only the hardness of inverting an encryption function. If 
these solutions do exist, it is likely that considerably more powerful theoretical tools will have to be 
developed before they can be found. The development of such tools is the objective of this research. 

In this paper, we define a cryptographic protocol as a mathematical object and security as a property of 
this object. Having formalized the concept of a secure protocol, we study its general properties. One of our 
main motivations for this work is the problem of combinations of protocols. It has been implicitly assumed 
in the literature that if two protocols are secure then these protocols can be performed sequentially without 
loss of security. This assumption turns out to be false more often than not. For example the seemingly 
harmless act of encrypting the same message using Rabin's encryption function under two different 
composite numbers is insecure. The message can be retrieved in polynomial time from the two encryptions 
[14]. The use of RSA with small exponent has similar problems [15]. In our model we are able to show a 
class of secure protocols which is closed under sequential execution. We call protocols in this class strongly 
secure. 

Finally, we provide Btrongly secure solutions to some of the simpler problems discussed above. 
Solutions to more complex problems typically use these simpler protocols as subroutines. For example the 
coin flipping protocol is used in practically all solutions to the mental poker problem. Our results, while 
leaving open the problem of finding secure solutions to the harder class of transaction problems, increases 
our confidence in the use of simpler protocols as subroutines to more complex protocols. 

2. The Protocol Environment or Model of Computation. 

We think of a protocol as occurring between two Probabilistic Turing Machines (PTM's) A and B which 
operate synchronously. Each PTM has, besides its computation tape, a one-way infinite tape for incoming 
messages. We call this tape the "mailbox" of the machine. The PTM's communicate by writing into each 
others mailbox ( Fig. 1 ). 

We call such a system a CPTM (for Communicating Probabilistic Turing Machines). The mailbox tape 
symbols are digits , unary minus , letters, punctuation marks , and an end-of-message marker. 

The PTMs have the capacity of reading a symbol from its mailbox at the same time as the symbol is 
being written. This convention is not essential to the model and any of the common resolutions of 
concurrent write-read will do. 



89 



CPTMs satisfy an "independence condition" which is stated as follows: 

Independence Condition for CPTMs. 

For all j, the conditional distribution of A's (B's) j ttl ' message given the prior messages between A and B 
is independent of the state ofB (A) at the time of the message. 

The Independence Condition holds for CPTMs because all communication in a CPTM occurs via 
mailboxes. 

O common 
dock 

A's Mailbox 



vnte 




only 



computation tape B's Mailbox compuHtion Upt 

Figure 1. Communicating Probabilistic Turing Machines. 

Our model will assume that factoring large integers is hard: 

Definition • A Blum Integer is a composite N = P Q where both P and Q are congruent to 3 mod 4 and the 
length of P is equal to the length of Q . 

Assumption - Factoring Blum Integers is hard: For every poly-time probabilistic Turing Machine M, and 
any polynomial p, the probability that machine M factors a random n-bit Blum Integer is asymptotically less 

than —y—. 
pw 

3. Protocols Under the Assumption that Factoring Large Integers is Hard. 

We now turn to the study of CPTM's whose parts A and B have computed and interchanged keys 
and Nb with the following properties: 

(let N be the key) 

i) The Jacobi symbol (—77-) = 1. 

N 

it) N has exactly two distinct prime factors, both odd. 
iii) if z is a quadratic residue modulo N , then there 
exists roots x and y of z with opposite Jacobi symbols. 

From now on when we refer to a number being a (public) key, we mean a number having properties 1- 

iii. Under the assumption that factoring Blum integers is hard, A and B can generate (factored) keys whose 

factorization can not be computed by the opposite party. We will later show that there exist protocols such 

that the parties to the CPTM can convince each other that N A and JVg are keys without helping each other 

factor the key. Note that not all numbers satisfying properties i-iii are Blum integers. We choose this 



90 



definition of public key because we know of no secure protocol by which the parties can convince each other 
that N A and Ng are Blum integers. On the other hand these properties are enough to solve the problems 
typically solved by protocols using Blum integers. 

4. Initialization of a CPTM. 

The initial input to both A and B is a positive integer n, called the "security parameter" of the CPTM. 
The following steps are then carried on: 

Step 1 - A computes a key iV A of length n and writes it on B's mailbox. 
Step 2 - B reads N A from its mailbox. 

Step 3 - B computes a key N a of length n and writes it on A's mailbox. 
Step 4 - A reads Ng from its mailbox. 

We start counting steps after initialization is completed, i.e. when we say the k-th step we mean the 
k-th click of the common clock after initialization. 

We can not assume that A and B follow the initialization protocol. However, we will assume N A Jfg are 
odd, composite, have length n, and satisfy property i) above. We can safely assume these properties because 
they are verifiable in polynomial time by a PTM without access to the factorization of N A Jf B . We will later 
exhibit protocols through which A (B! can prove to B (A) that properties ii) and iii) hold without helping the 
opponent factor N A (,N B ). 

5. The Definition of Cryptographic Protocol. 

The concept of cryptographic protocol is used in various ways in the literature. The most common use 
of the term refers to two or more programs or computers with various communication capabilities. An 
alternative definition, proposed in [16], [17] , [18] and [19] considers a protocol as a sequence of operators on 
messages. We will consider only 2-party protocols in which the parties are mutually distrusting. Our 
definition of cryptographic protocol refers not to the machines executing a communication but to the rules of 
such interaction. We will also ignore the problems of saboteurs or eavesdroppers on communication lines. 
Definition - A protocol n is a pair [L,t(n)] ( L £N , t(n) a polynomially bounded function of n ) and two sets 
of predicates 

P, B (mi A , • ■ • ,m, A ,m 1 a , - - ■ ,m, B ) for t = 
We denote the sequences {P A } , {P?\ by P A ^° respectively. L and t(n) are called the 'length" of n and 
the "time between messages" of fT respectively . The semantics of this definition is as follows: m, A is the 
state of B's mailbox at time [2i — \>t(n); m,' is the state of A's mailbox at time 2t-((n). It is the 
responsibility of A to see that P* is true for all i It is the responsibility of B to see that Pf is true for all i . 

The sequence (mf,mf , ■ - ■ ,m A ,m£) is called a conversation between A and B. The reason we define 
m t A , m, fl as states of mailboxes rather than as messages is that the former is always defined whereas the 
latter may not exist if one of the parties does not follow the protocol. As a consequence of this definition we 
may define the probability distribution <p. T of (m, A , ■ • ■ ,m t A ,m 1 B , ■ • ■ ,m L B ) for fixed PTM's A and B. 



91 



We will typically leave t(n) unspecified and argue simply that all computations necessary between 
messages can be done in probabilistic polynomial time. If A and B are fixed PTM's and n is a protocol we 
denote the ordered triple (I"I,A,B) by IT(A,B). 

Let the symbol A stand for logical AND. We define the predicates 

L L 

P A (m x A , ■ - - ,m i A ,m, B , ■ • • ,m L B ) , f >s (m 1 i \ • • • ,m L A ,mf , ■ ■ ■ ,m L B ) as AP, A and \P l B respectively. 

i i 

Protocol 1: Verifying that N A satisfies property iii : if z is a quadratic residue modulo N A , then there 
exists roots x and y of z with opposite Jacobi symbols. 

Blum [1] proposed the following protocol : 
For i := 1 to 100 

1. A sends to B a random quadratic residue x, mod N A . 

2. B sends to A A, = 1 or — 1 at random. 

3. A sends to B a root of x, mod N A with Jacobi symbol b,. 

If N A satisfies property iii , then A will always be able to perform step 3. Otherwise , the probability 
that A can always respond at step 3 is 5 2" 100 

In our formalism this protocol is written as follows : 

11,: Do 100 times the following protocol 
Pt = (mfiZ^) 
P? = (mf«M,i;> 

m A 

Pi = (if Pf then (m A ) 2 - m A ( mod N A ) and ( — -) = mf ) 

A 

P a = (mf = "thanks") 

Notice that this protocol does not tell B how to behave in order to obtain proof that N A has property iii. 
( Whereas Blum's version explicitly states how the parties should choose their messages). However, we can 
show that there exists a poly-time PTM B which follows the protocol such that, after the protocol, either A 
has been caught cheating , or the probability that N A satisfies iii is & 1 — 2~ m . Throughout this paper we 
take the position that a protocol merely allows the parties to behave so as to achieve the desired goal, it cannot 
force them to do so. 

6. Security. 

We must first develop some notation. 
Definition - A key-generator with input n generates a random factored n-bit Blum integer. 
Definition - A poly-time PTM A is an honest player for protocol II if: 



92 



1) its first step is a call to a key generator 
which returns (P A ,Q A ) 

2) it goes through the initialization process with N A = P A Q A 

3) for all poly-time PTM B the probability of 
P A (m l A , ■ ■ ■ ,m L A , mi B , - ■ ■ ,m L B ) is 1. 

Since PTM's have limited computational power it is possible that there exists no honest player for a 
particular protocol. This motivates the following definition : 

Definition - A protocol IT is A-feasible if there exists an honest player A for IX We define B-feasible 
similarly. A protocol is feasible if it is A-feasible and B-feasible. 

Definition - We say a protocol is A-secure if there exists an honest player A for II such that for all poly- 
time PTM B the probability that B (actors N A goes to zero with n. The definition of B-security is 
analogous. We say a protocol is secure if it is both A-secure and B-secure. 

We now define the notion of a simulatable player. This notion is essential for proving security of 
protocols. We want to put in precise terms the intuitive notion that if machine B can simulate the behavior 
of machine A in the protocol , then it is not possible for A to have released enough information for B to 
factor A'b key. 

There are a number of alternative definitions for the notion of simulator. Do we allow a machine 
which is simulating A to look at B's coin-tosses? Precisely what is to be simulated? In [4] (henceforth called 
the GMR model), simulators are considered which simply attempt to produce a sequence of messages with 
the same probability distribution as the actual conversation between A and B. That is, no attempt is made 
in that model to duplicate the environment in which a conversation between A and B takes place. For 
example, if B sends a random quadratic residue x mod N A to A, and A replies with a random square root of 
x modulo N A , then it is easy to produce conversations with the same probability distribution as the actual 
conversation between A and B. To do this a machine M simply computes a random number X modulo N A 
and lets i 2 mod N A be the message from B to A and x be the message from A to B. In the GME model A is 
said to release 0 knowledge to B. On the other hand, we know that A has a chance of at least of 

releasing the factorization of N A in this protocol (this is Rabin's Oblivious Transfer Protocol [8]). This 
awkward problem in the GMR model has no further consequence since, in that model as in this one, we are 
really interested in machines A which release no information to any machine B. For example, suppose B' is 
as B above except that it sends A the factorization of N A if it obtains it. Then it is clear that there is no 
machine M which simulates A against B' unless factoring is in RP. Hence A does release knowledge to B', 
even though it does not release knowledge to B. In the GMR model machine A is said to release 0 
knowledge if for all machines B, it releases 0 knowledge to B. 

More serious drawbacks of the definitions in the GMR model are that i) it does not seem to go beyond 
the obvious statement that A releases no knowledge if and only if no machine B can put knowledge in the 
communication tape after a conversation (and hence it does not seem to provide a tool for the construction of 
O-knowledge protocols) ; and ii) it is not clear whether or not the sequential execution of a polynomial 



93 



number of O-knowledge protocols is still O-knowledge 'concatenation of protocols is a major goal in this 
model). 

We will require that a simulator for machine A against machine B not only produce a possible 
conversation with the same distribution as conversations between A and B, but that it does so while 
duplicating the interaction that B has with A. It would be too restrictive to require a simulator to do 
this all the time , since it seems that in that case a simulatable machine A could not make use of the 
factorization of its key. Thus we relax this condition by requiring that a simulator succeeds in simulating A 
with a constant probability greater than 0. In addition to this we must require that a simulator realizes 
whether or not it succeeded in simulating A, otherwise simulatable protocols turn out to be 
unconcatenatable. We now formalize these definitions. 

Let n be a protocol and B a player. Let A be an honest player which generates a random n-hit Blum 
integer N A for a key. Recall that an honest player A will have put mf in B's mailbox by time (2i — lH(n). 
Let S be a procedure which, when called by B at time (2i — l)-t(n) returns a message mf. Let B[S] he 
machine B except that at step (2t — lH(n) (after initialization) of B, B[S] calls S and sets mf = mf. We 
also give B[S] some extra power as follows: at any time B[S] may return to an earlier configuration an re- 
start the computation from there. However, we will require that B[S] run in random polynomial time. We 
also require that S and B satisfy the Independence Condition for CPTMs defined in section 2. Notice that 
B[S] is a poly-time PTM with input n, N A . Thus, if N A is a random n-bit Blum integer, the probability that 
B[S] can factor N A is asymptotically 0 by assumption. 

We define a„ to be the probability distribution of (mf' ■ - • ,mf,mf , • • • ,m?) in B[S] with security 
parameter n. Recall that <p n is the distribution of conversations between A and B with security parameter n. 

Definition - Let II be a protocol with A an honest player. We say S is an A-simulator for II if for n 
sufficiently large, for all players B, and for all pairs (N A fl a ), machine B[S] satisfies the following conditions: 

i) the probability p of P A iY) given N A Jf B is 

a constant greater than 0 and the event P A (Y) 
is independent of B's coin tosses. 

ii) S decides P A ix) with error probability 0 for all x. 

iii) <T„(i | P*W)Jf A ff B ) = <p„(* | N A Jf B ) for all x. 

where Y is a random variable which assumes values (mf , ■ ■ ■ ,mf ,mf , ■ ■ • ,m£) in B[S]. 

Since BIS] can return to earlier configurations we see that the constant p can be made exponentially 
close to 1. For example if p = for machine B[S] we can define another machine B'[S] which runs B[S] and 

if P A {Y) is not true, runs B[S] again. The probability that P A (Y) is true for B'[S] is now — . In general, if 

we allow for k trials of B[S], the probability of P A iY) is 1 - ( ^ )*. 

Definition - Let IT be a protocol and A an honest player for n. We say A is simulatable if there exists an 
A-simulator for A. 



94 



Theorem 1 . Let n be a protocol and A an honest player for n. If A is simulatable and S is a simulator 
for A then for any pair of keys {N A J*l B ), the probability that B factors N A given INuMb) is ' ess tnan a 
constant times the probability that B[S] factors N A . The constant is independent of the keys. 
tYoof: Fix A , B , N A , N B . Let S be an A-simulator for IKAJ!). Let X , Y be random variables which 
assume values (mf, • • - ,m£,mf, • ■ • ,mf) in IKAJS), and (mf, • • ■ ,/n£,mf, • ■ • ,/n£) in B[S] respectively. 
Let E be the event that B factors N A in II. Let E be the event that B[S] factors N A . For the remainder of 
the proof all probabilities are conditional on the values of N A N B . 

Let fi be the message space and i = (mf , ■ • • ,m A ,mf , ■ ■ - ,mf)€fl 21 . Recall <p„(x) = <r n (x\P A (Y)) and 
note that the independence condition on S implies that for all x, Prob.(E\X - x) = Prob.'E \Y = ji. 

Thus, 

Prob.iE) 

= /<p„U)-Pto6.(£ I X = i) 

X 

= f<r n lx\P*m)-Prob.(E' \ Y = x) 

X 

= J<r„<x\P A (Y))-Prob.(E' | (Y = x)AP A (Y) ) 

X 

= Prob.iE' | P A (Y)) 
ProbXE ') 
Prob.(P A (Y)> 
^ ProbXE') 
P 

The third equality is justified by the fact that if P A (Y) is true then Y = x implies P*(Y). 

Corollary 1 . Let n be a protocol and A an honest player for n. If A is simulatable then II is A-3ecure. 

Simulatability is a strong requirement. It is conceivable that a protocol is secure without being 
simulatable. This motivates the following definition : 

Definition - A protocol II is strongly secure if there exist honest simulatable players A and B for II. 

Strongly secure protocols have the desirable property that they release no partial information about the 
factorization of the player's private keys. This results in strongly secure protocols being "concatenab!e".That 
is, a polynomial number of strongly secure protocols can be run under the same keys. We now formalize this 
idea. 

Definition - Let be honest players for protocols rii,!^ respectively. The machine A 3 = Ai|A 2 is 

defined by the following rules : 

A 3 runs as Ai until Ai halts. 

Then A3 runs as A2 except that, rather 

than obtaining N A from the key generator, it skips 

the initialization routine using the keys N A Jfg 

known to A l instead 

Definition - Let IT a = (LiJtWj?*^ 1 ) and II 2 = {L 2 ,t l {n)f A ' 1 ^ B ' 1 ) be two protocols. We define the 
concatenation U x % U 2 of n^r^ as follows: 



95 



n,%n 2 = {L^^f^'jf 3 ) 

where 



Li — Li + Lo 
h\n) = maxfi,(n),f 2 (n)} 



P, : 



: Pi 1 for i = 1, . 
= P* 2 for i = 1, 



P, 3 '= P, 'fcr i = 1, . 



P*\, = P B -' for , 



• ■ x 2 . 



In other words, concatenation of two protocols is simply the concatenation of the two sequences of predicates. 

Now we are ready to show that simulatable protocols are concatenate Even though the statement is 
intuitively true, the proof is somewhat technical. 

Figure 2.a) depicts a CPTM composed of a PTM B and an adversary A,|A 2 where A lr A 2 are honest 
simulatable players for two protocols nLilj respectively. A machine fl B (the "restriction of B to IT]) is 
defined from machine B in the following way: B B behaves as B until A 2 starts executing, at which point it 
halts. Figure 2 b) depicts the same PTM B but with A lr A 2 replaced by simulators S 1H S 2 respectively. Figure 
2 c) depicts PTM B with adversaries S! and then A 2 . The random variables X l JC 2 ,V u V 2 ,Zi£2 represent the 
messages between A^—B , A 2 — B , S\—B , S 2 -B , Si-B , A 2 -S respectively in the given configurations. 







6 








A, 















ft 







B 















a) 



Figure 2. 

Theorem 2 . Let n^rij be A-secure protocols with honest simulatable players A[A2- Then A 3 = AJA2 is 
an honest simulatable A-player for IT3 = rii%n2 . 

Proof: Honesty of Ai|A 2 follows immediately from the construction of A ; |A 2 . Thus we need only show 
simulatability. We must show that for n large enough, for all PTM B, for all a,bJJ A fi B , 

Prob.(X l = aji 2 = b) = Prob.iVy = a,V 2 = b \ P' 4 '(V,) A P*\V 2 )> (*) . 
Let n, the size of the public keys, be large enough so that the simulatability conditions hold for both A\ 
and A 2 with simulators S! and S 2 respectively. Fix a,bfl A JW B . From now on all probabilities are taken 
conditioning on the values of N A J*/ B . If ->P Al (a) or ^P Ai (b) then both sides of (*) are zero. Suppose P A '(a) 
and P A Hb). If P A '(a) and ProbXV ! = a) = 0 then, by the simulatability conditions, both sides off*) are 0. 



96 



Suppose Prob.i V l = a) > 0. 

We first show that ProbAX t = ajf 2 = 4) = ProMZ , = a.Z 2 = 6 | P Al (Zi)). Note that this is implied 
by the 2 equations 

(i) ProbXXi = b\X 1 - a) = ProbXZ 2 - b | Z, = a) 

and 

(ii) ProbXXi = a) = ProWZ, = a | P A \Z- l )). 

The first equation holds by the Independence Condition for CPTM9. Equation (ii) holds by simulatability. 
Now we show that 

Pro6.(Zi = a,Z 2 = b | P Al (Z t )) = Prob.iV , = a,V 2 = 6 | '■(V 1 )/Vi >A ' J (V 2 )l (**). 
This equation is implied by the two equations 

(iii) Prob.{Z l = a | P A '(Z l )) = Prob.(V x = a | P A i (V l )AP Al (V l » 

(iv) Prob.(Z 2 = b | Z, = a) = Prof>.(V 2 = 6 | P^tV^AV, = a). 
Equation (iii) can be shown as follows: 



ProMP'V,) I P" Z (V 2 » 



Proo.(Vi = aAP A \V l ) 

Prob.[P A \V l » 
Prob.iV, = a) 



Prob.iP WO) 
= ProblVi = a | P A \V0). 

A A 

The second equality holds because the event P 2 (V 2 ) is independent of the events (V[ = aAP '(Vj)) and 
P Ai (V l ) by definition of simulatability. The third and fourth equalities hold because we have assumed 
P A Ha). 

Equation (iv) holds because S 2 is a simulator for A 2 and for all machines B. In particular, So is a 
simulator for A 2 executing the protocol against a machine M which is B[SJ with the condition that M 
chaoses it's coin tosses randomly and uniformly only among those which yield Z x = a. Machine M is 
depicted in Figures 3.a) and 3.b) playing against A 2 and S 2 respectively. Note that 

Prob.{V 2 = b | P A \V 1 )AV 1 = a) = PrabAU 2 = b | P A \V 2 )) = Prob.{T 2 = b) = Pnb\Z 2 = b | Z, = a). 
Combining equations (*) and (**) completes the proof of the theorem .qjjj 



97 



BCsJ 



s, 




8 


A*. 





13 [s.] 



6, 



Figure 3. 

Theorem 3 . Protocol 1 is a strongly secure protocol- 
Proof: Protocol 1 is a concatenation of 100 protocols 

n,: Pf = (mfeZjv^) 
Pf = (mfsf-l.l/) 

m"* 

P£ = (if Pf to (m£) 2 » mf( morftyi) and (-rp-) = mf) 
Pf = (mf = "thanks") 

Notice that Boh does not use his key, therefore we need only be concerned about the protocol being A- 
secure. By theorem 2, it is enough to display a simulatable algorithm for A in n. Let A's algorithm be the 
following: 

message 1: 



message 2: 

If mf is 1 or -1 then send the root of mf with 
Jacobi symbol mf else send "you are cheating". 

Then the following algorithm is an A-simulator: 



message 1: 

Choose a random number xiZn and send mf = x 2 mod N A . 



message 2: 

if mf is 1 or -1 and the Jacobi symbol of x modulo N A is mf 

then send mf = * mod N A . If mf is not 1 or -1 then flip a fair coin. 

If the outcome is heads send mf = "you are cheating". If the outcome i9 

tails, machine B[S] returns to the initial configuration and the simulation 

is repeated. 

The last instruction of machine B[S] may seem intriguing at first glance. However, it is necessary in 
order to satisfy properties i) and iii) of a simulator. The problem is the following: if B does not send 
mf = +1 then S has a chance of only y of satisfying P A . Therefore, if S simply responds "you are 



98 



cheating" when B sends mf * ±L, the conditional probability of a conversation x given that S satisfies P A 
is biased towards those conversations in which B sends mf * +1. 

If we consider B's messages as questions to A (or S) then the problem is that all questions are easily 
answered by A, whereas the probability that S can answer questions may not be the 3ame for all questions. 
Machine B[S] must incorporate instructions to homogeneize the hardness of replying to B. 

Having said this, verification that B[S] satisfies properties i) to iii) of a simulator is easy and is left to 
the reader. 

7. Strongly Secure Solutions to Some Cryptographic Problems. 

In this section we provide strongly secure solutions to some well-known cryptographic problems. 
Protocol 2 - Coin Flipping Into a Well. 

The purpose of this protocol is for Alice to give Bob a random bit. However, Alice must not know which 
bit she gave him until Bob displays the bit. Bob. on his part, cannot lie about which bit he got. Since we 
have shown that Protocol 1 is strongly secure we may assume that N A satisfies property iii of a public key. 
The protocol is as follows: 

n 2 : Pi(mf) = ('let's flip a coin into your well") 
Pf(mf) = (mf S.Z N/ ) 
P£(m A ) = {mitfl-l?) 
/•f(mf) = ((mf) 2 - mf mod N A ) 
Alice's and Bob's algorithms are as follows: 

Alice : 
message 1: 

send mf = "let's flip a coin into your well" 

message 2: 

send — +1 or -1 at random. 

Bob : 
message 1 : 

choose x at random and send mf = x 2 mod N A . 

message 2 : 

send mf = x. 

The value of the coin-flip is (-tj— )-6. Bob may display the value of the coin-flip by displaying the root of x 1 

™ A 

that he knows. Until he displays the coin-flip at message 2 (mf ), Alice has no idea of what the value of the 
coin-flip is. If Alice is honest she can be sure that Bob cannot lie about the bit he got because he knows at 
most one root x of x 2 mod N A (and, of course, -x). 

This protocol is simulatable because neither party uses the factorization of their keys. Assuming that 
Bob knows a root x , the probability that the coin-flip is 1 is the same as the probability that the coin-flip is 
-1. If Bob is honest, he can be sure that the coin-flip is unbiased because, from Alice's point of view, the 



99 



probability that x has Jacobi symbol 1 is the same as the probability that x has Jacobi symbol -1. 

An important observation, which will be used in protocol Tl 4 , is that a simulator S can apriori choose 
the value of the coin-flip provided it chooses it at random. To do this S sends mf = ±1 at random. II the 
outcome of the coin-flip is different from the one S wants, machine B[S] can simply restart computation at 
the beginning of the protocol execution. In random polynomial time, S can obtain the flip it originally chose. 
Protocol 3 - Generating a random element in Z Na . 

The coin-flipping Protocol 2 can be used n = \N A \ times to generate a random element in Z Na . 
Protocol 4 - Verifying that N A has exactly 2 prime factors, both odd. 

This problem has been studied extensively by mathematicians. To this date, an efficient algorithm to 
determine the number of distinct prime factors of a composite number (the index of the number) has not 
been found. It is possible that no such algorithm exists. It is a remarkable achievement of the research on 
interactive proof systems that a proof that the index of a composite number can be shown to be 2 by an 
omniscient party without releasing any additional information about the composite number. 

The crucial observation for this solution is due to Adleman [20]. He suggested using the fact that if N A 
has more than two prime factors, then at most ^- of the numbers in Z' N are quadratic residues. The 
protocol uses Protocol 3 to generate M random numbers with Jacobi symbol 1 in Zn a - Having done this, 
Alice reveals a square root of each of the numbers which is a quadratic residue. Bob accepts the number N A 
if Alice reveals at least aM square roots. The parameters M and a are chosen so as to obtain a negligible 
probability of error at the minimum possible cost M. This solution has a two-sided error probability. It is 
possible for Alice to convince Bob that N A has at most 2 prime factors when it in fact has more than 2, and 
it is possible for Alice to be unable to complete the proof even though N A has exactly two prime factors. We 
now derive an approximation to the optimum value of a. 

Let Y be the number of quadratic residues among M random numbers modulo N A . Let p be the 
probability that a random number in Z Na is a quadratic residue. By the Central Limit Theorem (see any 
probability textbook, for example [21]) the random variable 

VJfp(l-p) 

is asymptotically 4(0,1) ( normal with mean zero and standard deviation 1 ). 

For M in the hundreds and .P^C"|'>"j!i , <! , (0,1) is a good approximation to the distribution of Z. From 

now on we compute probabilities under the assumption that Z has distribution $(0,1). 

Let f i be the probability that Bob rejects N A when N A has exactly two prime factors. Let ti be the 
probability that Bob accepts N A when N A has exactly three prime factors. Then, if N A has exactly two 
prime factors we have 



100 



£, = P(Y < aM) 

= P{Z < <« - -25>Af , 
VAf(.25)(.75) 

= P(Z < We-I^ 
V3 



[4a - D^U I - y 

J —J dt (I) 



Similarly, if iV A has exactly three prime factors we have 
(8a - D^M , 



c 2 = 1 - P(Z < 



(8<X - D^U / V 7 - y 

/ A (//) 



Lemma 1 



" 2 

If x is negative then J* i dt < 

— BJ * 2ir 



>' dt < 
Proof: i < 0 and I s x implies -f 2 £ -iJ. 




Thus / T7 — dt < J" 



Theorem 4 . For all values of a, e 74 < Maxfei.eJ < e 75 asymptotically. We can achieve an error 

V21 — 1 

probability in this range if we let a = — . 

Proof: Since we seek to minimize Afor/e^e^/, it is clear that the optimal value of a is somewhere between 
— and — . Thus (4a — 1) < 0. Using the lemma , and substituting in (4a and 
-(8a - 1)Va7/V7 

for x in (I) and (II) respectively, we get 

-Ha - 

< -2^^ 8 
1 (4a - l)V2 w Af 
and , 

2V7 e " 

e 2 < -y- 



(8a - l)V2wJW 



Thus both Ei and C2 are bounded above by functions of the form °"~7 — ■ Since the parameter b 

dominates the expression for the bound , we would like b to be the same for c t and e 2 • i- e - we wan ^ 

(4a - l) 2 _ (8a - l) 2 _.. r L V21 - 1 ... . ^ L t-u 

t = — . solving for a we get a = , which makes f> ~ .01339 > — ■ thus 

6 14 20 7o 

-M 

MaxfEi.eJ < c 75 . 



101 

_r , 2 _ 

A similar argument , involving the (asymptotic) inequality e 1 > —t e 12 for 2 > (1 > 0 and 

t < 0 shows that MAXfej^} is asymptotically greater than e 74 Q£j>. 

We have shown that, even though, this protocol achieves exponentially small probability of error, we 
must use M in the thousands in order to achieve truly negligible probability of error. 

This protocol requires the communication of a very large number of bits. It is expensive in 
communication and computation. This is also the fastest known protocol for this problem. Goldwasser, 
Micali, and Rackoff [4] have an elegant but expensive O-knowledge interactive proof by which Bob can prove 
to Alice that he knows a root of a quadratic residue modulo her key. Using this technique a O-knowledge 
protocol for this problem can be constructed which is essentially a hundred times as expensive as our 
protocol. Protocols for harder problems, e.g. Blum's certified mail protocol, may require the execution of 
this protocol hundreds or thousands of times for different keys. This illustrates the practical need for 
protocols which use a single key. 

It would be straight-forward but cumbersome to write this protocol in our formalism. Instead, we write 
it out in a hybrid notation and argue informally that it is simulatable. 

n 4 : Do 3000 times 

i) Execute Protocol FI 3 to generate a random number x in Zv,. 

ii) If the Jacobi symbol of x mod N A is 1 then Alice sends the 
message "non-residue" or a square root of x mod N A . 

Theorem 5 . [I 4 is strongly secure. 

Proof: The reason that this needs to be proven is that it does not follow immediately from Theorem 2. This 
is because Tl t is not a concatenation of strongly secure protocols. However, if Alice follows the 
algorithm given for n 2 and honestly executes instruction ii) of n 4 then we can argue that Alice is 
simulatable. 

We argue informally as follows: A simulator for n 3 , the protocol which generates a random element in 
Zn A , can choose apriori what number is to be generated (see the note on this matter in the description of n 2 > 
provided it chooses it at random. Thus S can simulate A as follows: )) S flips a fair coin to decide whether 
the number generated in the simulation of Fl 3 will have Jacobi symbol 1 or -1. If the number is to have 
Jacobi symbol -1 then S simply generates a random element with Jacobi symbol -1. If the number is to have 
Jacobi symbol 1 then S flips a fair coin to decide whether it will choose a quadratic residue or a quadratic 
non-residue. Then S generates a random element in riZfi . If x in step i) of n 4 is to be a non-residue then S 
sets x = — r 2 mod N A . If x is to be a residue then S sets x = r 2 mod N A . The reader can verify that x, 
chosen in this way, is indeed a random element in Z,v fl . If x is a quadratic residue then S knows a square 
root of x and thus can execute step ii) of Tl t .Qjj). 

Note that the properties of public key iV A are crucial in this proof. This is because if N A is a public key 
then -1 modulo N A is a non-residue with Jacobi symbol 1. If N A was an arbitrary composite then this 
protocol would not be simulatable since there is no known effective algorithm to compute a non-residue with 



102 



Jacobi symbol 1 modulo an arbitrary composite. This completes the proof that Alice and Bob can convince 
each other that N^Jfg are valid public keys without helping the opponent factor the key. 

Protocol 5 - The Oblivious Transfer. 

A strongly secure variant of Rabin's Oblivious Transfer, called "The Probabilistic Channel", has been 
implemented in [22] based on an earlier work on the Oblivious Transfer [6]. 

Acknowledgements. 

The importance of studying cryptographic protocols in a rigorous way was made clear to us by Manuel 
Blum. He also guided us throughout this research with insight and valuable references. He, of course, bears 
no responsibility for the possible weaknesses and shortcomings of this model. Other good friends who 
worked with us on this problem include Tom Tedrick and Umesh Varirani. 

References. 

1. M. Blum, Coin Flipping by Telephone, Proc. IEEE COMPCON, 1982, 133-137. 

2. M. Luby, S. Micali and C. Rackoff, How to Simultaneously Exchange a Secret Bit by Flipping a 
Symmetrically-Biased Coin., 24th. IEEE Annual Symp. on Foundations of Computer Science, 1983, 11. 

3. T. Tedrick, How to Exchange Half a Bit, Proceedings of Crypto 83, N.Y., 1984, 147. 

4. S. Goldwasser, S. Micali and C. Rackoff, The Knowledge Complexity of Interactive Proof Systems, 17th. 
Annual ACM Symp. on Theory of Computing, 1985. 

5. M. Fischer, S. Micali and C. Rackoff, A Secure Protocol for the Oblivious Transfer, Proceedings of 
Eurocrypt 84., 1984. 

6. R. Berger, R. Peralta and T. Tedrick, A Prouably Secure Oblivious Transfer, Dept. EECS, Univ. of 
California, Berkeley , Calif. , 1983. 

7. M. Blum, How to Exchange Secret Keys, ACM Transactions on Computer Systems 1, 2 (May 1983), 
175-193. 

8. M. Blum, Three Applications of the Oblivious Transfer : 1. Coin Flipping by Telephone, 2. How to 
Exchange Secrets , 3. How to Send Certified Electronic Mail, Dept. EECS, Univ. of California, 
Berkeley , Calif. , 1981. 

9. S. Even, O. Goldreich and A. Lempel, A Randomized Protocol for Signing Contracts, Technical Report 
#233, February 1982.. 

10. S. Fortune and M. Merritt, Poker Protocols, Crypto 84, 1984. 

11. M. Yung, Cryptoprotocols : Subscription to a Public Key, the Secret Blocking and the Multi-Player 
Mental Poker Game., Crypto 84, 1984. 

12. L. Blum, M. Blum and M. Shub, A Simple Secure Pseudo-Random Number Generator, CRYPTO 82, 
1982. 

13. S. Goldwasser and M. Blum, An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All 
Partial Information., Crypto 84, 1984 



103 



14. M. Blum, A Potential Danger with Low-Exponent Modular Encryption Schemes: Avoid Encrypting 
Exactly the Same Message to Several People., V.C. Berkeley Computer Science Department, 1984. 

15. J. Hastad, On Using RSA with Low Exponent in a Public Key Network., MIT Computer Science 
Department, 1984. 

16. D. Dolev, S. Even and R. Karp, On The Security Of Ping-Pong Protocols, Proceedings of Crypto 82, 
1982. 

17. D. Dolev and A. Yao, On The Security Of Public Key Protocols, IEEE Transactions on Information 
Theory. IT-30 (March 1983), 198. 

18. M. Merritt, Cryptographic Protocols , Ph.D Thesis. Georgia Institute of Technology, GIT-ICS-83/06. 
1983. 

19. M. Merritt and P. Wolper, States of Knowledge in Cryptographic Protocots., Unpublished Manuscript., . 

20. L. Adleman, Private Communication through M. Blum., 1983. 

21. K. Chung, A Course in Probability Theory, Academic Press, London, 1974. 

22. R. Peralta and T. Tedrick, The Probabilistic Channel, In preparation, 1985. 



CHEATING AT MENTAL POKER 



Don Coppersmith 
IBM Research 
Yorktown Heights, NY 10598 



We review the "mental poker" scheme described by Shamir, Rivest and Adleman [SRA]. We present two possible 
means of cheating, depending on careless implementation of the SRA scheme. One will work if the prime p is such that 
p - 1 has a small prime divisor. In the other scheme, the names of the cards "TWO OF CLUBS" have been extended 
by random-looking bits, chosen by the cheater. 

Background 

In 1979 Shamir, Rivest and Adleman [SRA] proposed a scheme for playing "mental poker," i.e. play a fair poker 
game over the telephone between two mutually suspicious players. As a corollary, their paper gave a practical method 
for exchanging secret information over a public channel. (This method of exchanging information is still viable, and 
nothing in this paper affects its usefulness.) 

In their scheme, players A and B agree on a large prime p. They create a deck of cards c,-, i — 1, 2, ... , 52, where, 
for example, cj might be the EBCDIC coding of the characters "TWO OF CLUBS". Player A creates two secret 
numbers a, a, such that aa a I( mod p); Player B similarly creates secret numbers b, b. Player A shuffles the deck, 
encodes each card by raising to the a power ( mod />), and sends the deck to Player B. (At this point, B sees 
mod p), where v denotes the permutation or shuffle applied by A.) Player B selects five cards for A, say 
cjjj( mod p), ... , c^5( mod p), and returns them to A, who decodes them by raising to the a power ( mod p). B also 
selects five cards for himself, and adds his own encryption by raising to the b power ( mod p). He sends the resulting 
cards, c% \( mod/>), ... , cjj*( mod p), to A. In turn, A raises B's cards to the a power, obtaining c^f s cj,< mod p), 
and returns them to B. Finally B raises these cards to the b power ( mod p) to obtain cj^ s cgji mod p), his own hand 
in the clear. 

Thus is the hand dealt. Betting proceeds as usual. At the end of the game, the secret keys are revealed, so that 
the hands are made known to both sides. 

Method 1: when p-1 has a small factor. 

The first method of cheating is a generalization of the "quadratic residue" trick, due to Lipton [DDDHL]. 

12 

Suppose that p — 1 is divisible by a small integer q, say 30 < q < 10 . 

* 

The multiplicative group of integers ( mod p) is denoted by Z p . It is isomorphic to the additive group of integers 
( mod p — 1), Zp_ j. (There are several isomorphisms available, and we can select one by selecting a generator g of 
the multiplicative group.) For each integer q dividing p — 1 there is a projection from Zp_ j onto Zg. Composing these 
two maps, to each x ^ 0( mod p) we can associate an element ( mod q), which we will call log x( mod q), suppressing 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 104-107, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



105 



the dependence on g. The Pohlig-HeUman technique (If HI, attributed by them to Roland Silver) enables us to com- 
pute log x( mod ?) for the price of 0( logp + /q) multiplications ( mod p). For ? in the range given, this is a feasible 
amount of computation. 

Suppose Player B sees the cards before they are encrypted. Then he can determine { log <r ( < mod q), 1 < / < 52}. 
Now he receives the shuffled and encrypted deck from A. Again, he determines 
{ log(c"(,-|)( mod?) s olog c„(/)( mod?)}. By comparing the distributions of the logarithms, before and after en- 
cryption, B can usually determine the value of a( mod?). Thus he can recover { log c^^( mod?)}. This gives him 
some information about the permutation in he can tell which cards are which, up to ambiguities caused when two 
logarithms are the same: log c,-( mod q) » log cjt mod ?). The expected number of uniquely determined cards is about 
52(e -51/ ^); for? > 30 one expects to have at least nine cards uniquely determined. 

12 

Finally, if we choose our prime p uniformly at random, we will have some prime q, 30 < q < 10 , dividing 
p — 1 about eighty-seven percent of the time. 

Conclusion 1: If you don't want cheating, choose your primes p to be of the form p = 2? + 1, ? prime, so that the 
cheater can only tell the difference between quadratic residues and non-residues. Also, append bits so that all the 
cards are quadratic residues, to block even that information from the cheater. 

Method 2: when the cards are padded by random bits. 

The string "THREE OF DIAMONDS" in EBCDIC is very short: only seventeen characters or 136 bits. Our 
prime p cannot be this short, because efficient techniques exist for finding logarithms modulo prunes this small [WM1, 
[Adl], [COS]. So suppose the EBCDIC strings are padded out with random bits, in accordance with good 
cryptographic practice. (Note: the original paper [SRA] did not suggest such padding.) Suppose these bits occupy 
half the description of the cards.* Suppose also that Player B is allowed to select these "random bits". Then he can 
cheat 

Let the i'* card be given by c s =- s,- + r,- < p, where j; is the EBCDIC coding of the card's name in English, left- 
adjusted in the representation of the integer, and r,- is the "random" portion, constricted by 0 < ^ < */~p . 

Player B fixes the representation of q as "TWO OF CLUBS" padded with truly random bits. Now for each 
i. 2 < i < 26, B tries to select j, r 2; so that the resulting integers c 2 ,_ j, c 2j satisfy 

( c l J 2/-l( modp)) + (c[( modp)> 2j _i - *a + r 2i + lp, 

where rj,-_ j, r 2i and t are unknown integers less than /p7 This is just a linear diophantine equation, easily solved, for 
example, by a basis reduction algorithm; see [Lag], [LLL] for the techniques involved. 

* An interesting problem remains: what if the "random bits" occupy only 1/3 or 1/4 of the description? Can a similar 
scheme be implemented? 



106 



tiov/A shuffles and encrypts the deck, and sends the entire deck to B. Recall that B sees <V(fj( mod p). Notice that 
since e[c 2 ,-_i s C2j( mod/>), then the same relation holds among the encrypted cards: C^f) '(<■£■_ j) s (^2/)( modjj). 
So B tries each of 52 x 51 - 2652 ordered pairs of cards in the encrypted shuffled deck, computing 
' c f01^ c °w" mo ^ ^ anl ' com P arm g tBe results to the remaining 50 cards. On finding a match, 
(t»fy)) 2 (cV(*)) s Cc"(^p( mod jj), Player 5 has probably identified three cards: v(J) - 1, ir(fc) - 3, tr(0 - 4. Now for 
3 < / < 26, 1 < m < 52, m# _/,&, f, compute (c*^j) (c°( OT ))( mod^) and compare to the remaining cards; each 
match (c"(y))'(c"( m )) = (c°(„))( modp), gives two more cards ir(m) - 2i — 1, u(n) - 2«. At the cost of a few thou- 
sand multiplications ( mod p), B has recovered the permutation n, and can now select both hands quite maliciously. 

Conclusion 2: If you're going to have "random padding," make sure your opponent doesn't select the random 
numbers. 

Conclusion 3: The protocol is fairly fragile in the sense that seemingly innocuous changes (selection of p, padding 
with seemingly random bits) can allow for cheating. If you don't trust a man enough to play cards with him, don't play 
mental cards with him either. 

Note: Goldwasser and Micali [GM] have proposed an alternate, more complicated protocol for mental poker, 
which is evidently more secure. 

References 

[Adl] L M. Adleman, "A subexponential algorithm for the discrete logarithm problem with applications to 
cryptography," Proc. 20th IEEE Found. Comp. Sci Symp. (1979), 55-60. 

[COS] D. Coppersmith, A.M. Odlyzko and R. Schroeppel, "Discrete Logarithms in GF(p)," Research Report RC 
10985, IBM T.J. Watson Research Center, Yorktown Heights, N.Y., 10598, February 14, 1985. 

[DDDHL] R.A. DeMillo, G.I. Davida, D.P. Dobkin, MA. Harrison and R.J. Lipton, Applied Cryptology, Cryptographic 
Protocols, and Computer Security Models, voL 29, Proceedings of Symposia in Applied Mathematics, American 
Mathematical Society, 1983. Chapter 4.11, "Compromising Protocols." 

[GM] S. Goldwasser and S. Micali, "Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Par- 
tial Information," Proc. 14th ACM Symposium on Theory of Computing (1982), 365-377. 

[Lag] J.C. Lagarias, "Knapsack Public Key Cryptosystems and Diophantine Approximation (Extended Abstract)," 
Advances in Cryptology, Proceedings of Crypto 83, (Ed.: D. Chaum), Plenum Press, New York, 1983, 289-301. 

[LLL] A.K. Lenstra, H.W. Lenstra, Jr. and L. Lovasz, "Factoring Polynomials with Rational Coefficients," Math. 
Annalen. 261 (1982), 515-534. 

[PH] S.C. Pohlig and M. Hellman, "An improved algorithm for computing logarithms over GF(p) and its 
cryptographic significance," IEEE Trans. Inform. Theory IT-24 (1978), 106-110. 



107 



[SRA] A. Shamir, R.L. Rivest and LM Adleman, "Mental Poker," MIT/LCS/TM-125, Laboratory for Computer 
Science, Massachusetts Institute of Technology, 545 Technology Square, Cambridge, MA 02139, February 
1979. 

[WM] A.E. Western and J.C.P. Miller, Tables of Indices and Primitive Roots, Royal Society Mathematical Tables, voL 
9, Cambridge Univ. Press, 196S. 



Security for the DoD Transmission Control Protocol 



Whitfield Diffie 
Bell-Northern Research 
Mountain View, California 

1 Introduction 

In securing packet switched digital communications, it is possible to add the security measures 
at almost any layer of the Open Systems Interconnection (OSI) model of network functioning. At 
one extreme, security may be supplied either by physical protection of the communication links 
(with no impact at all on network communication protocols) or by independent encryption of the 
traffic on each link of the network (with little protocol impact). Solutions of this sort are called link 
security and, although widely employed, have the disadvantage of requiring the users to place a 
high degree of trust in the network. At the other extreme, it is possible, using cryptography, to add 
security to each individual user level application. This has the advantage of minimizing the user's 
need to trust the network and thus providing end-to-end security, but also has the disadvantage 
of requiring a multiplicity of implementations. 

A natural compromise is to attempt to place the security measures at the lowest point of full 
end-to-end communications, thereby achieving the benefits of end-to-end security with a single 
mechanism. As the provider of reliable end-to-end communications, the transport layer is the 
obvious choice for this location. 

In this paper, we will pursue the transport layer approach by examining an existing transport 
protocol, the U. S. Department of Defense Transmission Control Protocol (TCP), and considering 
the ways in which this protocol could be made secure. 

Our proposals will occur at three levels of compatibility starting with full compatibility with 
existing TCP and progressing through an upward compatible extension to the possibility of related 
but incompatible protocols. 

2 Overview oj TCP 

This section provides an overview of the functioning of TCP and is largely drawn or 
paraphrased from the TCP specification 4 . As in that document, the abbreviation "TCP" will 
be used to denote both the protocol itself and programs used to implement that protocol. 

The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host 
protocol between hosts in packet-switched computer communication networks, and especially in 
interconnected systems of such networks. It was explicitly designed for use with the DoD Internet 
protocol 3 , but in principle, TCP should be able to operate above a wide spectrum of communication 
systems ranging from hard-wired connections to packet-switched or circuit-switched networks. 

2,1 Facilities 

To provide its service on top of a less reliable "network" level communication system requires 
facilities in the following areas: Data Transfer, Reliability, Flow Control, \fultiplexing, and Con- 
nection Management. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 108-127, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



109 



Data Transfer 

The TCP is able to transfer a continuous stream of octets in each direction between its users 
by packaging some number of octets into segments for transmission through the network. In this 
stream mode, the TCPs decide when to block and forward data at their own convenience. 

The sender can override the asynchronous character of the data transfer by setting the push 
flag in the TCP send command. This will make the sending TCP transmit all buffered data and 
set the push flag in the final resulting segment. The receiving TCP on seeing the push flag follows 
suit by forwarding all buffered data to its user. 

TCP also provides a mechanism for communicating to the receiver of data that at some point 
further along in the data stream than the receiver is currently reading there are urgent data. TCP 
does not attempt to define specifically what the user should do upon being notified of pending 
urgent data, but the general notion is that the receiving process should take action to read through 
the urgent data quickly. 

Reliability 

Reliability is a complex issue that cannot be completely encompassed within a transport layer 
protocol. Redundant routing in the network, use of jam resistant communication links, and forward 
error correction all play a part in a comprehensive program of reliability. 

Guarantees of reliability can be divided into two categories of which the second is a necessary 
building block of the first. 

1) Assurance that the data will arive intact. 

2) Assurance that the receiver will know whether the data have arrived intact or not. 

A reliability mechanism providing some elements of each aspect is provided in TCP by the 
use of sequence numbers and acknowledgments (ACK's) to deliver data undamaged and in order 
at the destination. Conceptually, each octet of data is assigned a sequence number. The sequence 
number of the first data octet in a segment is the sequence number transmitted with that segment 
and is called the segment sequence number. Each segment also carries an acknowledgment number 
which is the sequence number of the next data octet the receiver expects to arrive. When the 
TCP transmits a segment, it puts a copy on a retransmission queue and starts a timer; when 
the acknowledgment for that segment is received, the segment is deleted from the queue. If the 
acknowledgment is not received before the timer runs out, the segment is retransmitted. At the 
receiver, the sequence numbers are used to order segments received out of turn and to eliminate 
duplicates. 

TCP's acknowledgment and retransmit mechanism is augmented by adding a checksum to 
each segment transmitted, checking it at the receiver, and discarding damaged segments. 

It is important to note that an acknowledgment by TCP does not guarantee that the data 
have been delivered to the end user, but only that the receiving TCP has taken the responsibility 
for doing so. 

Flow Control 

TCP provides a means by which the receiver can govern the amount of information transmitted 
by the sender. This is achieved by returning a "window" with every ACK indicating a range of 
acceptable sequence numbers beyond the last segment successfully received. This window specifies 
an allowed number of octets that the sender may transmit before receiving further permission. 



110 



Afultiplexing and Connections 

To allow many processes within a single host to use the communication facilities simul- 
taneously, the TCP provides a set of addresses or ports within each host. The concatenation 
of a port number with the host address from the network communication layer is called a socket. 

The reliability and flow control mechanisms require that TCPs maintain certain status infor- 
mation for each data stream. This information, including sockets, sequence numbers, and window 
sizes, is called a connection and is uniquely specified by the pair of sockets it connects. A connec- 
tion is defined by a pair of sockets, regardless of the processes plugged in to those sockets and 
TCP places no restrictions on a particular connection being used over and over again. Each new 
instance of a connection will be referred to as an incarnation of the connection. A local socket 
may participate simulaneously in connections to various foreign sockets and all connections are 
full duplex. 

When two processes wish to communicate, their TCP's must first establish a connection 
(initialize the status information on each side). When communication is complete, the connection 
is terminated or closed to free the resources for other uses. 

The binding of ports to processes is handled independently by each host. However, it is 
convenient to attach frequently used processes (e.g., a file server or timesharing service) to fixed 
sockets which are made known to the public. These services can then be accessed through the 
known addresses. Establishing and learning the port addresses of other processes may involve more 
dynamic mechanisms in higher protocol layers. 

Precedence and Security 

In addition to the above features, TCP is also described as providing precedence and security. 
This, however, is security in the sense of computer operating system security and provides no 
protection in itself. It is only an option label passed through to the underlying network com- 
munication layer, which is expected to operate in a link secure environment. The security label is 
used by both the ends of the connection and any intermediate nodes to guarantee that classified 
segments will not be routed either to hosts with inadequate clearance or along paths with inade- 
quate protection. 

2.2 The Host Environment 

The TCP specification assumes that TCP is a module in a computer operating system and 
that processes access the TCP much as they would access the file system. The TCP may call on 
other operating system functions to, for example, manage data structures. The actual interface 
to the network is assumed to be controlled by a device driver module. The TCP does not call on 
the network device driver directly, but rather calls on the network level datagram protocol module 
which may in turn call on the device driver. Despite this assumption the mechanisms of TCP do 
not preclude implementation of the TCP in a front-end processor, but in such an implementation, a 
host-to- frontr-end protocol must provide the functionality to support the type of TCP-user interface 
described above. 

In the environment of a verifyably secure operating system, implementation of TCP within 
the system itself would be perfectly acceptable from a security veiwpoint. In the absence of this 



111 



as yet unavailable technology, it is more desirable to isolate TCP together with the cryptographic 
machinery in a front end computer. 

2.3 TCP Interfar.es 

The TCP/user interface provides for calls made by the user on the TCP to OPEN or CLOSE 
a connection, to SEND or RECEIVE data, or to obtain STATUS about a connection. These calls 
are like other calls from user programs on the operating system, for example, the calls to open, 
read from, and close a file. 

The TCP/network layer interface provides calls to send and receive datagrams addressed to 
TCP modules in hosts anywhere in the internet system. These calls must have parameters for 
passing the address, type of service, precedence, security, and other control information. 

2.4 The Structure of the TCP Segment 



Source Port 












Destination Port 






Sequence Numb 


er 




Acknowledgment Number 


Data ^ 
Offset [Reserved |G (K 


P 
S 
H 


R 
S 
T 


S 
Y 
N 


F 
I 

N 


Window 


Checksum 


Urgent Pointer 


Options 


Padding 


Data 



Figure 2.1 TCP Header Format 



The TCP header block carries the sixteen bit names of the source and destination ports, but 
not the full socket names, which are carried in the underlying network layer datagram. It devotes 
thirty-two bits each to the sequence number of the first data octet in the segment and, if the ACK 
bit is set, to the value of the next sequence number the sender of the segment is expecting to 
receive. 

A four bit data offset field specifies the length, in 32-bit words, of the TCP header. Six bits 
are reserved for possible use in future versions of TCP. Eight control bits explain the segment's 
purposes: 

URG: Urgent Pointer field significant 

ACK: Acknowledgment field significant 

PSH: Push Function 

RST: Reset the connection 

SYN: Synchronize sequence numbers 

FIN: No more data from sender 

The 16-bit window field gives the number of octets beginning with the one acknowledged that the 
sender is currently willing to accept. The checksum field contains a checksum of the entire segment 
plus a pseudo-header containing data from the network layer. This checksum was designed for 
simplicity and makes no attempt to detect intentional tampering. If the URG bit is set, the urgent 
pointer contains the sequence number of the first octet following the urgent data. 

The option field is of variable length and contains any selected options. Each option consists 



112 



of either one octet, for a fixed length option, or an option octet, an option length octet, and the 
option data. Following the options, the header is padded out to an integral number of 32-bit words. 

2.5 Establishing and Clearing Connections 

Since connections must be established between unreliable hosts and over a potentially unreli- 
able communication network, a handshake mechanism with clock-based sequence numbers b used 
to avoid erroneous initiation of connections. 

A connection, as mentioned earlier, may be opened and closed repeatedly by a variety of 
different processes. The problem that arises from this is how to identify duplicate segments from 
previous incarnations of the connection, a problem that is apparent if the connection is being closed 
and reopened in rapid succession, or if the connection is broken (with loss of memory) and later 
then reestablished. 

A connection is specified in the OPEN call by the local port and foreign socket arguments. In 
return, the TCP supplies a (short) local connection name by which the user refers to the connection 
in subsequent calls. There are several things that TCP must remember about a connection and 
this information is stored in a data structure called a Transmission Control Block (TCB). 

The OPEN call specifies whether connection establishment is to be actively pursued, or to be 
passively attended. A passive OPEN request means that the process wants to accept incoming 
connection requests rather than attempting to initiate a connection. Often the process requesting 
a passive OPEN will accept a connection request from any caller. In this case a foreign socket of 
all zeros is used to denote an unspecified socket. 

A connection is initiated by the rendezvous of an arriving segment containing a SYN and a 
waiting TCB entry created by a user OPEN command. The matching of local and foreign sockets 
determines when a connection has been initiated. The connection becomes "established" when 
sequence numbers have been synchronized in both directions. 

The procedure used to establish a connection is called a three-way handshake. This procedure 
is normally initiated by one TCP and answered by another. This simplest three-way handshake 
is shown below. Segment contents are shown in abbreviated form, with sequence number, control 
flags, and ACK field. Other fields such as window, addresses, lengths, and text have been left out 
in the interest of clarity. 





TCP A 






TCP B 


1. 


CLOSED 






LISTEN 


2. 


SYN-SENT 


— > 


<SEa=100><CTL=SYH> 


-> SYH-RECEIYED 


3. 


ESTABLISHED 


< — 


<SEQ=300XACK=101XCTL=SYN,ACK> < 


— SYN-RECEIVED 


4. 


ESTABLISHED 


— > 


<SEa=101><ACK=301XCTL=ACK> 


— > ESTABLISHED 


5. 


ESTABLISHED 


— > 


<SEQ=101XACK=301XCTL=ACKXDATA> 


— > ESTABLISHED 



Figure 2.2 Basic 3-Way Handshake for Connection Synchronization 



The three way handshake also works if two TCP's initiate communication simultaneously. 



113 



TCP A 



TCP B 
CLOSED 



1 . CLOSED 

2 . EYN-SENT 

3. SYN-RECEIVED < 

4. 

5. SYN-RECEIVED - 

6. ESTABLISHED < 
7. 



> <SEQ=100XCTL=SYN> 

- <SEQ=300XCTL=SYN> <~ SYN-SENT 

. <SEQ=100XCTL=SYN> — > SYN-RECEIVED 

> <SEQ=101XACK=301XCTL=ACK> . . . 

- <SEQ=301XACK=101XCTL=ACK> <~ SYN-RECEIVED 
. <SE(J=101XACK=301><CTL=ACK> — > ESTABLISHED 



Figure 2.3 3- Way Handshake for Simultaneous Connection Synchronization 



The examples above do not show connection synchronization using data-carrying segments, 
but this is perfectly legitimate, so long as the receiving TCP does not deliver any data to the user 
until it is clear the data are valid (i.e., until the connection reaches the ESTABLISHED state). 

The clearing of a connection also involves the exchange of segments, in this case, segments 
carrying the FIN control flag. 

3 Mtaning and Scope of Transport Layer Security 

In attempting to provide a secure transport layer protocol, we must answer two fundamental 
questions: 

(1) What does it mean for communications in the transport layer to be secure? 

(2) What does it mean for this security to have been applied by the transport layer? 

The answer to the former question, as always, is that transport layer security is the combina- 
tion of privacy (protection against disclosure of message contents to unauthorized parties) and 
authentication (a guarantee that the receiver knows the identity of the sender and that the mes- 
sage has arrived unaltered and without undue delay). In implementing secure transport protocols, 
however, it is valuable to refine this taxonomy. 

As viewed from the transport layer, the opponent in an internetwork environment has the 
power not only to intercept, record, and examine all data passing over any connection, but to insert 
or delete messages at will. Privacy protection can be viewed as an attempt to limit the amount 
of information that the opponent can derive from these activities. Authentication measures are 
an attempt to assure that the opponents intrusions into the communication channel do not go 
unnoticed. 

In the case of privacy, there is the possibility that even though an opponent is prevented 
from discovering the contents of any individual message, he is nonetheless able to make valuable 
deductions from an examination of the timing, length, and distribution of a variety of messages, a 
technique called traffic analysis. Protection for the contents of individual messages is called message 
privacy. Measures that prevent an opponent from studying the overall flow of communications are 
called transmission security. 

Authentication is more complicated and is closely tied to the second question. In specifying 
that the receiver knows the identity of the sender, we must ask in what terms this identity is to 
be given. A transport protocol provides process to process communication, but these processes 
are known to the transport layer only through their association with sockets. A guarantee of the 
identity of the source of a message from the transport layer viewpoint is thus a guarantee that 



114 



segments actually emanate from some particular socket. This guarantee will be called protection 
against unauthorized connection initiation. 

Given this limited view of the meaning of identity within the transport layer, it is reasonable to 
ask how socket identity is translated into the identities of entities in which trust is actually vested 
within the security system. This translation, however, takes place within higher level protocols 
that make use of the transport layer. The role of the latter is limited to supplying secure socket 
to socket connections. 

The second criterion for the authenticity of data is a guarantee that messages have not been 
surreptitiously altered during transit; this guarantee is called assurance of message integrity or 
protection against message stream modification. 

In either of the above cases it is also possible to distinguish different levels of quality in the 
evidence for authenticity. It is often the case that although the receiver of a message is able to 
assure himself that he knows the identity of the sender and the message has come through the 
channel unaltered, he would be unable to establish to a third party that he had not composed the 
message himself. If the reciever has the means of establishing the identity of the sender to the 
satisfaction of third parties, we say that the message bears a digital signature. 

Some intruder actions may take the form, not of altering legitimate messages or even of 
sending new ones, but of delaying messages either for a limited period of time or indefinitely. The 
possibility that the intruder will delay messages sufficiently that their meanings have changed is 
called the threat of replay. 

When the intruder goes one step further and delays messages indefinitely, the legitimate com- 
municators are said to experience denial of service. This threat is often treated differently from 
others as it is often said that denial of service cannot be prevented, but only detected by authen- 
tication measures. A closer examination reveals that this is true of all threats to authentication. 
An intruder cannot be denied the chance to work mischief on the communication channel, but 
only prevented from doing it surreptitiously. In the case of message stream modification, however, 
countermeasures come so directly to the receiver's hand as to becloud the issue: A message that 
is recognizably inauthentic will be rejected immediately and the intruder will have achieved little. 
The practical effect of authentication is either to deter the intruder altogether or to convert all 
attacks into denial of service. 

The use of protection against message stream modification opens the question of why false 
connections must be prevented at all. Data that come from illegitimate connections and data that 
started out from legitimate connections but were modified en route are, after all, indistinguishable 
to the receiver. Since each message must be authenticated before it is accepted, an unauthorized 
connection might be opened, but no useful data could be sent over it. 

The answer lies in the second question. In saying that security has been supplied by the 
transport layer, we are saying that the higher level processes that appeal to the transport layer 
must be placing their faith in it, that the transport layer itself must be operating securely rather 
than merely serving as the conduit for secure communications. Any authentication procedure 
required to guarantee segment correctness must therefore be carried out by the TCP's. To limit 
authentication tests to the data alone and thus allow initiation of a connection (fail to check 
authenticity of SYN messages) even though no data from that connection would be accepted as 
authentic, serves only to leave an opening for the opponent to tie up the network with unauthorized 
connections. 



115 



4 Securing TCP Cryptographically 
4.1 Cryptography 

The basic approach to securing TCP will of course be to encrypt as much as possible of each 
TCP segment. In so doing, we need make only a few assumptions about the cryptographic system 
in use. These assumptions describe the operations of which it is capable 2,6 , including whether it 
has the public key capability, but say nothing about its strength or internal functioning. 

Public Key and Conventional Systems 

In using cryptography to provide a secure transport service, either public key or conventional 
cryptosystems may be used. The advantage of the former are an improvement in the security of 
key distribution 2 and the availability of digital signatures. The latter have the advantage, at least 
for the present, of both higher performance and greater familiarity. 

A public key system can perform all of the tasks of a conventional system, even though in 
some of these it can make no use of its public key capability. A single, public key, cryptosystem 
might therefore be used for all encryption within a network. At present, however, the low speeds 
and large block sizes of public key systems make them undesirable for any application in which 
their special capabilities are not required and a combination of public key and conventional systems 
is the most satisfactory arrangement. 

It is also possible to operate a conventional cryptographic system in the style of a public key 
system, thereby minimizing the effect on protocol structure of the decision to select one or the 
other. The user of a public key system employs one key (the other user's public key) for sending 
messages and another (his own private key) for receiving them. The same approach can be adopted 
in the conventional case with each user employing one key to encrypt his outgoing messages and 
another to decrypt the incoming ones. 

It is important to remember that a conventional system operating in the public key style does 
not provide the public key functions; both keys must be treated as secret and no message can 
be regarded as digitally signed. It is equally important to note that this has little effect within 
the transport layer. At higher layers the distinction between conventional and public key systems 
affects the form of the protocols; in the transport layer, it affects only the quality of the protection 
provided. 

Cryptographic systems in the rest of this paper will always be described in the public key form. 
Each party will have both a sending key (other party's "public key") and a receiving key (his own 
"private key"). It is convenient for the lengths of keys to be powers of two. Keys for conventional 
systems are typically between 64 and 256 bits in length while public keys are at present somewhat 
longer, running from 256 bits up to about a thousand. 

Modes of Operation 

All cryptographic systems to be used are assumed to be capable of operating in one of the 
following modes: 

(1) Cipher block chaining mode (of which block mode is a special case) with blocklength n. 

(2) Cipher feedback mode on chunks of text of any size not longer than n. 



116 



(3) Synchronous modes such as counter driven mode or Output Feedback mode on chunks of 
text of any size not longer than n. 

The most common forms of cipher feedback operate on either a single bit at a time or on eight 
bits at a time. Because of the octet oriented structure of TCP, eight bit cipher feedback is the 
most natural choice for encrypting TCP segments. In cipher feedback mode, however, a system 
can make no use of the public key property and cipher block chaining might therefore be selected 
for this purpose. 

Synchronous modes of cryptographic operation have been popular in communication systems 
because they do not propagate errors and thus offer good performance in the presence of noise. 
This feature has no direct effect on TCP itself and is generally less applicable at the transport level 
of packet switched networks because of error correction at lower levels. Nonetheless, there would 
be no disadvantage in using synchronous modes with TCP and this might in some cases provide a 
convenient compatibility with existing equipment. 

Message Indicators and Cryptographic Checksums 

It is preferable for TCP segments to be independently decryptable, since the alternative 
requires that sufficient information be left in clear to allow segment ordering before decryption. The 
cost of this decision is additional information in each segment, telling the receiver the cryptographic 
state in which to begin decrypting the message. This information is variously called a message 
indicator or initialization vector and should, for security's sake, be no less than 64 bits in length. 

In both the cipher block chaining and cipher feedback modes of encryption, each item of text 
is encrypted or decrypted in a manner that depends not only on the key, but on some quantity of 
the preceeding cipher text. In these modes, the message indicator plays the role of this quantity. 

For authentication purposes, the cryptographic system must be capable of generating a cryp- 
tographic checksum for each segment transmitted. This checksum is of the order of 64 bits in 
length and depends on three different types of data: 

(1) Data included in the segment in encrypted form. 

(2) Data included in the segment, but not encrypted. 

(3) Data associated with the segment, but already known to the receiver and not transmitted. 

When a public key cryptosystem is employed, the cryptographic checksum can play the role 
of a digital signature. This can be accomplished either by applying the public key system directly 
to all of the data to be signed, or by computing a cryptographic checksum with a conventional 
system and then signing the checksum. 

Key Management 

Since key distribution is a process that is handled primarily above the transport layer, it will 
not be examined in detail here. For our purposes, it will be sufficient to assume that when a TCP 
connection is opened, keys specific to that connection have already been placed in position at its 
ends. 



117 



4.2 Message Privacy 

Message Privacy is accomplished by encrypting all data in the TCP segment and as much 
of the header information as possible. The amount of header information that can be protected 
depends on the degree of compatibility that must be maintained between secure and unsecured 
TCP. If full compatibility (interoperability with existing TCP implementations) is required, all 
header data must be left in clear. On the other hand, in a network where all TCPs incorporate 
security and all segments are required to be encrypted, encryption can be extended to the header 
as a whole. In a network where both secured and unsecured TCP connections are permitted, some 
means must be provided for distinguishing between encrypted and unencrypted segments. 

Unlike the other elements of the header, the source and destination ports present a particularly 
difficult problem with respect to encryption. Since connections occur between pairs of ports, 
port numbers are just the lowest order part of the packet address and from this point of view 
should merely be passed in clear. This, however, although convenient, is undesirable and probably 
unnecessary. It is undesirable because the port numbers provide information of great value to 
a traffic analyst. It is unnecessary since the port numbers (unlike other parts of the address) 
distinguish between processes all of which are located within a single physically secured location. 

If the source and destination ports were encrypted in the connection specific keys, the receiving 
TCP would have no way of discovering for which of its ports an incoming segment was intended. 
Its only hope would be to decrypt the segment under the key associated with each possible port. 
Although procedures of this kind are suitable in some cases, the process would be too time 
consuming to be applied to each incoming segment. 

In order to avoid leaving the port numbers in clear there are two possibilities. Either all 
segments must be encrypted with a key associated with the host pair rather than the process pair 
or the port numbers alone must be encrypted with such a key. It appears preferable to encrypt 
only the port fields using host pair keys, since associating keys solely with host pairs appears to 
present the same difficulties as having an additional host pair key and is made awkward by the 
fact that communication is synchronized on a connection basis. 

Host pair keys must either be provided by the key distribution mechanism along with the 
session keys or derived therefrom by the communicating TCP's. Any scheme presents some 
bookkeeping problems: When a second connection is opened between the same pair of hosts, the 
corresponding TCP's must cooperate in either maintaining the first host pair key or (probably 
better, but more difficult) switching to the second. This task cannot be borne by the Key 
Distribution Center unless there is only one KDC in use by the two hosts and this KDC is required 
to maintain awareness of all connections in progress. 

4.3 Transmission Security 

Even when the whole segment, including the entire header, is encrypted, the lengths, timings, 
and host addresses of segments will be visible to traffic analysts. This is a problem that is not 
readily attacked in transport layer protocols. 

The essence of transmission security is concealing traffic patterns from an opponent by sending 
dummy messages. The role of cryptography in this process is vital but limited: it prevents the 
opponent from distinguishing real messages from dummies. 

Transmission security measures can readily be applied at the link level in circumstances where 



118 



the cost of communication does not depend on the volume of traffic. In this case, the link is kept 
constantly busy with a stream of encrypted data whether there are real messages to send or not. 

It is also possible to apply transmission security measures in the network layer of broadcast 
networks. Under these circumstances, the origins and destinations of messages can be concealed 
by using cryptography as the addressing mechanism. All messages are encrypted and a station 
recognizes the messages addressed to it by finding that it can decrypt them successfully. The 
existence and lengths of messages are harder to conceal. Dummy messages can be sent at little 
intrinsic cost, but they must be managed very carefully to avoid congesting the network. 

Applying transmission security on an end-to-end basis in point to point networks (where 
addressing information is needed by the intermediate nodes) is extremely difficult and may properly 
belong to the network layer rather than the transport layer. In order to conceal all traffic flow 
information, messages must be transported by flood routing: The point to point network mimics 
a broadcast network by routing all messages to all possible addresses. This, of course, is feasible 
in only the most exceptional circumstances. It may, however, be possible to increase the traffic 
analyst's burden's, at acceptable costs, by sending only a moderate number of additional messages, 
particularly if resources are dedicated to relaying messages 1 . 

4.4 Secure Connection Management 

Security gives meaning to the concept of connection above and beyond that already present 
in TCP. A secure connection is the fundamental service provided by a secure transport protocol 
and is characterized by the use of a particular set of cryptographic keys. In this light, the TCP 
concepts of "connection" and "connection instance" deserve further examination. 

In TCP a connection is defined entirely by a pair of sockets. Intuitively, this concept is 
overbroad, failing as it does to distinguish between two quite different cases. In the former, two 
processes, each of which owns a particular port, repeatedly open and close the TCP connection 
between them. In the latter, a connection is opened used and closed by a pair of processes, then 
at a later time the same pair of sockets, hence in TCP terms the same connection, is employed by 
a new and unrelated pair of processes. For TCP's purposes, these cases are indistinguishable; its 
concern is solely to be able to to discern and reject segments that are not intended for the current 
incarnation. 

We will use the term session to distinguish connections of the former type, connections unified 
by the use of a single set of cryptographic keys. This term reflects the fact that these connections 
are arranged by key distribution protocols operating in the session layer of network architecture. 

It is still necessary to be able to distinguish one incarnation of the connection from the next 
and so we will further distinguish between session keys and incarnation keys. The former are 
supplied by a higher level key distribution mechanism, while the later are arranged locally by the 
corresponding TCP's in the course of opening the connection. 

It is also possible to take the more restrictive view that each incarnation of a connection is 
a distinct entity and thus to require old keys to be discarded each time a connection is closed 
and new keys to be distributed each time a connection is opened 5 . We will adopt the viewpoint 
above as being closer to that of unsecured TCP. Note however, that while a closed unsecured TCP 
connection leaves no trace in the participating TCP's, a closed secure connection requires a key to 
be preserved for later use either by TCP or by some closely associated mechanism. 



119 



In many applications a secure connection will be limited to a single incarnation. The procedure 
in this case, however, is the same as for the multi-incarnation case: an incarnation key is derived 
from the connection key during the open. 

Establishing a Secure Connection 

Secure connection initiation requires the addition of a challenge and response authentication 
procedure to the three way handshake. Before connection initiation can begin, keys must have been 
delivered to the corresponding TCP's. In the fundamental case, where one process is initiating 
a connection to another, the key distribution mechanism will also provide each TCP with a 
specification of both sockets. Once this has occurred, the "calling" TCP begins an active open 
sequence and the "called" TCP begins a passive open. The basic structure of such an exchange 
follows; the issue of how the data are incorporated in TCP segments depends on the degree of 
compatibility with unsecured TCP that is required and is discussed in later sections. As described 
earlier, all keys will be presented in pairs in the public key form. 

The calling TCP, A, constructs a SYN segment to which a challenge has been added. 

TCP-A-»TCP-B: {A's challenge}*'' <" ,l,i,: '" v 

When the called TCP, B, receives this segment it returns a SYN packet to A both answering A's 
challenge and presenting a challenge of its own. 



Using TCP B's public key, TCP A can decrypt the first half of this message to verify that its 
challenge has been answered correctly and can recognize the latter part as a challenge to which it 
must respond. 

TCP-A-TCP-B: {B's chaIlen g e} A '' priv, '" ! " y 

This exchange, in addition to unsecured TCP's synchronization of sequence numbers, 
demonstrates to each party that the other is the party to which it had been referred by the 
key distribution mechanism. At the same time its serves to exchange pieces of information (the 
challenges) that will serve as the keys for the current incarnation. 

The requirement in unsecured TCP that sequence numbers be generated in a non-repeating, 
clock dependent, manner is replaced by a similar but more exacting mechanism for generating 
the incarnation key This allows the sequence numbers themselves always, to begin at zero, 
since segments from previous incarnations can be recognized as being encrypted under outdated 
incarnation keys. 

TCP allows the possibility that both ends of a connection may attempt to open simultaneously. 
Although this is unlikely at the beginning of a secure connection, it can occur when a connection 
is reincarnated. The only effect of independent opens is that the second message above will appear 
as two distinct messages rather than one combined message. 

Passive Open with Unspecified Foreign Socket 




B's response — {A's challenge} 




The secure connections discussed above all take place between fully specified socket pairs; 
unsecured TCP, however, allows the possibility of a passive open with an unspecified foreign 



120 



socket. Among secure TCPs, this event can only occur in limited cases, but these cases are very 
important. This mechanism both impinges on the domain of key distribution and is required by 
the key distribution center. 

When a listening TCP receives an encrypted SYN from an unpredetermined foreign socket, it 
must determine what key to use. This problem is dramatically simplified if the connection keys are 
public keys, in which case the session key will be a public key for the listening process regardless 
of the identity of the calling process. Using conventional keys, however, this determination is more 
complex. 

If the calling process is always assigned the same port by its local TCP, then the listening 
TCP can determine the correct key from the foreign socket. This is probably the most general 
possibility that can be allowed since in any other case the contacts, although between the same 
two processes, are not in the TCP sense the same connection. 

Message Integrity 

Message integrity is gained by adding a cryptographic checksum (also about 64 bits in length) 
to the segment. This checksum covers the pseudo-header, header, and data and must be correct 
in order for a segment to be acknowledged. 

This mechanism also extends the sender identification established during connection initiation 
by demonstrating that the sender of the segment knows the incarnation key that was agreed on 
during the challenge and response. 

4.5 Detection of Replay 

Unsecured TCP provides a mechanism for recognizing and rejecting segments from previous 
incarnations that have been lost long enough in the network to be mistaken for segments from 
the current incarnation. Secure TCP must reject in addition segments held for arbitrarily long 
periods, and subsequently replayed, by an opponent. Fortunately, the cryptographic techniques 
used to provide security also provide a simpler and more reliable means of making this distinction. 

There are two fundamental means for judging the timeliness of messages. If the sender and 
receiver have synchronized clocks, a message whose integrity is guaranteed can also be authenti- 
cated as timely by examination of an included time field. This time field can be expressed either 
in hours minutes and seconds or, as with TCP's sequence numbers, in terms of the amount of data 
sent and received. If synchronized clocks are not available timeliness can be verified by a challenge 
and response procedure. Data will be recognized as current if they are tied to the response to a 
current challenge. 

Secured TCP uses both of these mechanisms. The incorporation of a challenge and response 
procedure in initiating the connection guarantees the timeliness of the SYN segments. These in 
turn serve to synchronize a clock (the sequence numbers) in terms of which the timeliness of all 
later segments is verified. 

Replayed segments will be detected as inauthentic either because they come from earlier 
incarnations of the connection, and are thus encrypted in the wrong incarnation key, or because 
they come from earlier in the same incarnation, and thus have the wrong sequence number. 



121 



4.6 Detecting Denial of Service 

Some protection against denial of service is built in to TCP through the acknowledgment 
mechanism: a sending TCP cannot remain unaware that a segment has failed to reach its destina- 
tion. A TCP that is not transmitting, however, but merely waiting for a message from the other 
end of the connection has no way of knowing if this message has been blocked or merely has yet 
to be transmitted. 

To counter this possibility, a TCP that has not received a segment in some time can challenge 
the other end of the connection to demonstrate its availability and authenticity. This exchange is 
similar to that used to initiate an incarnation and can be used to change the incarnation key at 
unpredictable times during the session. This procedure can be used not only to detect denial of 
service, but to counter subtle vulnerabilities that make the use of a public key system to exchange 
conventional incarnation keys less secure than the use of public keys throughout 2 . 

5 Full Compatibility — An Added Layer of Protocol 

Full compatibility with TCP does not permit encryption of the header or even any changes or 
additions thereto. Any action that is to be taken must consist solely of additions to and encryption 
of the user data. These additions, furthermore, must take place prior to, and therefore in ignorance 
of the actions of TCP. This renders such otherwise plausible acts as adding a cryptographic 
checksum of the entire TCP segment infeasible. 

The effect is of the addition of an extra layer of protocol at the upper edge of the transport 
layer. A host adopting this approach will present to the world an entirely correct TCP appearance 
and may even have unsecured conversations with standard TCPs. A process requiring a secure 
connection, however, must make use of TCP not directly bat through the added security layer. 

Under these circumstances some of TCP's functions are difficult or impossible to duplicate 
without building almost full transport layer functioning into the added security layer. 

5.1 Data Privacy and Authentication 

From TCP's point of view, the security layer is a user process and TCP will therefore hand it 
data that TCP believes to be damage free and in proper order. This allows the security layer to 
protect the privacy of the data by encrypting them as a single cipher chain and frees the security 
layer from the need to add a message indicator to each segment. The result is a reduction in 
overhead when transmitting ordinary data. 

One price that is paid for this reduction in the normal case is increased overhead in transmit- 
ting urgent data. When the security layer hands TCP a buffer with the urgent flag set, it must 
incorporate a message indicator as the first element. When the security layer receives urgent data 
from TCP, it must treat the first portion as a message indicator and decrypt the data accordingly. 

For authentication, the security layer must also compute cryptographic checksums on both 
the data and certain information from the TCP header and pseudo header. These are added by 
the sending security layer and used by the receiving one to test for alteration. In order to verify 
timeliness, these checksums must cover some equivalent of the sequence number; in order to detect 
segments maliciously routed back to the sender, they may need to cover the full socket pair. 

Fortunately, although the elements of the header generated by TCP are not available to the 
security layer, the information given to TCP in the OPEN or SEND calls is. Requests to open or 



122 



use a secure connection are made to the security layer and passed thereby to TCP; this gives the 
security layer access to both socket addresses, although not the sequence number, acknowledgment, 
or window. To replace the sequence number to which it lacks access, the security layer generates 
a sequence number of its own by counting octets. 

For the sake of generality, it is desirable that authentication be accomplished without imposing 
any structure on the data beyond the segmentation carried out by TCP itself. This, however, 
presents a difficult problem. On transmission, the cryptographic checksums can be attached to 
the data given to TCP by the security layer. Recognizing these checksums in the received data 
is another matter. The security layer is not only unable to get TCP header information, but on 
receiving, it is unable to distinguish the data comprising individual segments. 

In order to make the segment structure of received segments visible to the security layer 
markers must be placed in the data stream where they will be passed through by TCP. Since 
TCP provides a transparent channel, any code reserved for this purpose can be expected to make 
occasional independent appearances in the data. Preventing such patterns from causing disruption 
requires use of bit or character stuffing techniques to alter the reserved pattern whenever it is seen 
by the sending security later. 

In the event that inauthentic data are detected by the receiving security layer, its options are 
quite limited. It has no meaningful way to reject the segment, which has already been accepted 
by TCP, unless it duplicates the entire acknowledgment and retransmission mechanism. On the 
other hand, data that have already been accepted by TCP yet are found to be inauthentic must 
have been intentionally manipulated and the security layer can reasonably respond by sending an 
alarm message back to the user process and a reset to the TCP connection. 

5.2 Connection Initiation 

Use of a separate security layer means that the triple handshake of TCP must be completed 
and then mirrored in a similar cryptographic handshaking procedure by the security layer. At first 
glance, it would appear that these two processes could be at least partially combined by making use 
of the data carrying abilities of TCP SYN segments. This approach fails, however, because TCP 
will not deliver the data in these segments to its user (the security layer) until its own connection 
setup process is complete. 

5.3 Detecting Denial of Service 

The separation of the security layer from TCP deprives the former of the level of denial of 
service protection supplied by TCP. The security layer can check arriving data for integrity, but 
would require a full acknowledgment mechanism of its own to be sure that data it sent had arrived. 
Implementation of more refined denial of service detection, however, is straightforward and mimics 
the initial authentication exchange. 

6 An Upward Compatible Extension of TCP 

An upward compatible extension of TCP simplifies the introduction of security by allowing 
the security mechanism direct access to the structure of TCP segments. This permits the segment 
as a whole, including almost all of the header information to be encrypted. The exceptions are 
a bit indicating whether or not the segment is encrypted and perhaps the local and foreign port 
addresses. 

The problem of encrypting the port addresses has been touched on in an earlier section. They 



123 



cannot be encrypted in a connection specific key since they are used precisely to distinguish between 
the various possible connections. They can, however, be encrypted in a host pair key. This has 
little effect on the principal functions of TCP and presents primarily a problem of installing and 
changing these keys at suitable times. 

In most cases, the receiving TCP does not need to distinguish between encrypted and un- 
encrypted segments because it will have been informed by the key distribution mechanism that 
an encrypted connection is to be created between specified local and foreign sockets. Aside from 
the possibility that encrypted and unencrypted segments may be allowed in the same session, the 
principal circumstance in which TCP might be required to distinguish is that of a passive open 
with unspecified foreign socket. 

Since the receiving TCP must be able to read the "encrypted" bit before decrypting the 
segment, this bit must be located in a fixed position relative to the segment's beginning, a constraint 
that precludes the use of the option area. The best solution appears to be using one of the 
reserved bits to indicate an encrypted segment. This assumes that the receiving TCP has only one 
cryptographic system at its disposal or that it has been informed by some other means of which 
system to use. This, however, is a natural assumption, since any other approach would be open to 
criticism on transmission security grounds. 

Encrypting the whole segment requires that decryption be carried out before segment reor- 
dering and therefore that each segment must be independently decryptable; this in turn mandates 
the addition of a message indicator to each segment. Since the receiving TCP cannot decrypt the 
segment correctly unless it is able to locate the message indicator, this item, like the "encrypted" 
bit must occur in a fixed position, even though it only occurs in encrypted segments. 

One more item must be added to the segment: a cryptographic checksum. Unlike the message 
indicator, this need not be locatable prior to decrypting the segment. This allows greater freedom 
in its placement, but it seems clean and convenient to put it directly after the message indicator. 





Source Port 








I 


Destination Port 














Sequ 


ence Number 




Acknowledgment Number 


Data 
Offset 


Reserved 


E 
N 
C 


u 
H 

G 


A 

C 
K 


P 

S 
H 


ft 
S 
T 


S 
Y 
N 


F 
I 

N 


Window 


Checksum 


Urgent Pointer 


Message Indicator 


Cryptographic Checksum 








Opt 


ions 








Padding 


Data 



Figure 6.4 Encrypted Segment Header 



The checksum occurs in every encrypted segment and is calculated from the entirety of the 
pseudo header, the header, and the data with the exception of the checksum itself, which may 
either be omitted from the calculation or replaced by zeros. In encrypted segments, the function 
of the 16 bit, non-cryptographic checksum in determining segment acceptability is supplanted by 
use of the cryptographic checksum. 



124 



In segments with the SYN flag set, additional data must be incorporated for the challenge 
and response aspect of the handshaking. These are probably best included in option fields, and we 
will add the two options CHAL and RESP. This permits these options to be used by themselves 
for various reinitializations of the incarnation key. 

6.1 Privacy, Reliability, and Authenticity 

Except during the opening of a connection, TCP's many functions operate protected, but 
barely affected, by encryption. An opponent examining intercepted segments can observe that 
their encrypted bits are on, and can confirm this observation by attempting to read the data, 
but can observe nothing more than the total length of the segment. The connection to which the 
segment belongs, the segment's data, and the various fields that would reveal how many octets have 
been sent, how many acknowledged, and whether the segment is a SYN, FIN, or retransmission 
are all concealed. 

The acknowledgment and retransmission mechanisms of secured and unsecured TCP operate 
in exactly the same way except that the cryptographic checksum replaces the non-cryptographic 
in deciding whether to accept a segment. An opponent can neither alter the subscribers' data nor 
affect the connection's behavior by inserting phony control segments, since any segment received 
is first judged for authenticity by its checksum and then for timeliness by its sequence number. 

6.2 Secure Connection Initiation 

The unsecured three way handshake assures both participating TCP's of the timeliness of 
the connection and allows them to reject stray segments from previous incarnations with high 
reliability. Each side chooses an initial sequence number for the current incarnation, sends this 
sequence number to the other TCP and recieves in return an acknowledgment of this choice. 
Each TCP must both have acknowledged the other's starting sequence number and received an 
acknowledgment of its own before it will regard the connection as open and accept data for passage 
to its user. 

The initiation of secure TCP connections follows this pattern in form and extends it in 
objectives, verifying the timeliness of the connection as well as the more fundamental fact that the 
participating parties share a compatible set of cryptographic keys. 

Rather than agreeing on initial sequence numbers, secure TCP's agree on a set of keys for 
use in the current incarnation. This allows segments from previous incarnations to be detected 
not on the basis of bad sequence numbers, but on the inability of the receiver to decrypt them 
and derive a correct cryptographic checksum. This procedure is less prone to accidental failure 
than the unsecured version since keys are never less than twice as long as TCP's 32-bit sequence 
numbers and accidental repetitions are correspondingly less likely. It also frees the participants 
from the need to select random starting points in the sequence number space and allows both to 
begin at zero. 

In a secure connection, sequence numbers can never be permitted to cycle during the use of 
a single key since this would not allow new segments to be distinguished from old (played back) 
segments with the same sequence number. In fact, keys are not expected to remain in use for 
nearly this long, but rather are changed periodically by a mechanism to be discussed in connection 
with detecting denial of service. 

In the most common case of secure connection initiation, one end of the connection, which we 



125 



will denote as A, starts proceedings with an active OPEN while the other, B, makes itself receptive 
to an arriving segment by doing a passive OPEN. 



A-B: 



SEQ = 0 



CTL - ENC, SYN 



Message Indicator 



Cryptographic Checksum 



A's challenge 



B's public key 



B responds by answering A's challenge and posing one of its own: 



B-A: 



SEQ 



ACK = 1 



CTL = ENC, SYN, ACK 



Message Indicator 



Cryptographic Checksum 



B's challenge 



B's response = {A s challenge}®' 1 '"'"''''"* 



public key 



A is now able to verify that B has correctly answered its challenge by decrypting B's answer with 
B's public key. The cryptographic version of the three way handshake is concluded by A's answer 
to B's challenge: 

B't public key 



A-B: 



SEQ = 1 


ACK = 1 


CTL = ENC, ACK 


Message Indicator 


Cryptographic 


Checksum 


A's response = {B's chaUenge} A ' ,TT;valckev 



Once B has checked A's signature on the challenge, both processes are in an ESTABLISHED 
state and are willing to accept and acknowledge data. As with an unsecured handshake, the 
synchronization messages can carry data, but these data must not be accepted and passed on to 
the user until the handshake is complete. 

Throughout connection initiation, the segments exchanged are encrypted in the correspon- 
dents' session keys. Once the TCP's enter the ESTABLISHED state, however, they will switch to 
using an incarnation key, manufactured from the exchanged challenges, for the duration of the 
incarnation. There are various ways to produce such an incarnation key, but we will adopt the 
convention that the challenges are treated as exchanged public keys, regardless of whether a public 
key or conventional system is in use. Each side of the connection will thus transmit in one key and 
receive in another. 

The switch from the session keys to the incarnation keys opens the possibility of doubt on 
the receiving TCP's part about which key to use in decrypting an incoming segment. Once 
an incarnation key has been selected, this will become the key of choice and most segments 
otherwise encrypted will represent errors. If, however, a segment fails to decrypt correctly using 
the incarnation key, the session key can be tried. 



6.3 Detecting Denial of Service 



Denial of service can be reliably detected by the sender of messages, say A, through its failure 
to receive acknowledgments. After a number of attempts that will vary with circumstances, it will 



126 



respond by sending a trouble report to its user. An intruder cannot defeat this strategy by sending 
phony acknowledgments because he is unable to make his phonies cryptographically acceptable. 

The prospective receiver, B, on the other hand has no way of knowing that segments intended 
for him are being prevented from reaching their goal. If B is to discover this, he must send messages 
to A that will provoke a response. 

The same challenge and response mechanism used in establishing the connection is suitable 
for this purpose. Either party may at any time during the connection, whether it feels deprived 
of incoming data or not, send a new "public key" to the other party and expect a satisfactory 
response. This challenge can be given a segment to itself or combined with user data. This latter 
possibility helps to prevent an opponent from distinguishing such messages from data and allowing 
only the former to pass. 

It is interesting to note that challenges posed in this manner arrive in segments encrypted 
with the current incarnation key, but must be signed with the receivers private key. A correct 
response therefore guarantees that the responder knows both. 

After a key change, arrival of legitimate data encrypted with the old key is not unlikely and 
the receiver must be prepared to hold it until all segments sent before the key change have been 
received and acknowledged. The sender is under no such obligation and can freely retransmit 
unacknowledged segments in the new key rather than the old. 

As noted earlier, this mechanism not only serves to detect denial of service but to prevent 
recycling of sequence numbers. 

7 Incompatible, But Related, Protocols 

TCP is best suited to establishing connections across which substantial amounts of data will be 
transferred asynchronously in both directions; it is inefficient for transmission of small amounts of 
data such as remote procedure calls and, due to its insistence that every segment must be received 
undamaged and acknowledged, ill suited to carrying real time data such as voice. 

TCP's inefficiency in transmitting small amounts of data has a direct effect on its suitability 
for communication between a KDC and its clients since key exchange requires only very short 
messages and, unless each client maintains a constant connection with the KDC, TCP will add 
substantial overhead. The specialization of TCP has a more profound effect, however, on its utility 
as the common denominator of secure communications and the primary location for the network 
security mechanism. This utility is dependent on the assumption that all processes above the 
transport layer will make use of TCP and can thus relay on it to provide security. If instead, there 
must be several secure transport layer protocols, not only must security be incorporated in all of 
them, but each must be provided with access to cryptographic hardware. 

TCP segments are best viewed as "programs that are mostly data" and TCP as an interpreter 
for executing these programs. In this view, an effort to make TCP more flexible would probably 
change it from a language with a nearly fixed length instruction set to one with a variable length 
instruction set. Instead of requiring that all of the various fields: acknowledgment number, 
checksum, window, etc. be present in every segment, the segment header would begin with the 
control bits and incorporate additional fields as needed. 



127 



E 

N 



F E C 
I N H 

EHJNRC K 



Reserved 



Data 
Offset 



Source Port 



Destination Port 



Sequence Number 



Acknowledgment, Window, etc. (as needed) 



Options and Padding 
Data 



Figure 7.5 Possible Alternative Header Format 



In a configuration analogous to that presented in the previous section, a security control bit 
would be set. This would indicate that the segment must be decrypted and that the acceptance 
test would be cryptographic. In this case a checksum control bit would not be present and no non- 
cryptographic checksum would be performed. The present TCP layout in these respects would be 
modeled by turning the secure bit off and the checksum bit on. In a local area network that was 
considered to be both reliable and secure neither bit might be set. 



Acknowledgement 

I am grateful to Steve Kent for his little known technical note, "TCP and Communication 
Security," which provides an insightful exploration of the problems encountered in producing a 
secure version of TCP. 

References 

[1] D. L. Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms," 
Communications of the ACM, Vol. 24, No. 2, pp. 84-88 , Februaryl081. 

[2] Whitfield Dime, "Conventional Versus Public Key Cryptosystems," in Secure Commutations 
and Asymetric Cryptosystems, Edited by Gustavus J. Simmons, Westview Press, Boulder, 
Colorado, 1982. 

(3| "DoD Standard, Internet Protocol," Information Sciences Institute, University of Southern 
California, Marina del Rey, California, RFC 791, September 1981. 

[4| "DoD Standard, Transmission Control Protocol," Information Sciences Institute, University 
of Southern California, Marina del Rey, California, RFC 793, September 1981. 

[5) Steven T. Kent, "Some Thoughts on TCP and Communication Security," MIT, Laboratory 
for Computer Science, Local Network Note, No. 6, 4 Mayl977. 

[6] "Modes or Operation for the Data Encryption Standard," National Bureau of Standards, 
Federal Information Processing Standards Publication 81, 1980. 



Symmetric Public-Key Encryption 



Zvi Galil 1 - 2 - 3 Stuart Haber 1 - 3 Moti Yung 1 - 3 - 4 

1 Department of Computer Science, Columbia University 

2 Department of Computer Science, Tel Aviv University 



Summary 



Public-key encryption would seem to be inherently ass ymme trie, in that only messages sent to a user can be 
encrypted using his public key. We demonstrate that the use of interactive protocols for sending encrypted 
messages enables a symmetric use of public keys; we give cryptographic protocols for the following tasks: 

1. Probabilistic encryption, using the same public key, both of messages that are sent to a particular user 
as well as of messages mat the user sends to others, without compromising the key. We propose a 
public-key cryptosystem based on these protocols which has only one key, owned by a cryptographic 
server. 

2. Authentication both of the sender and of the receiver of a probabilistically encrypted message. 

3. Probabilistic encryption which is provably secure against both chosen-message and chosen-ciphertext 
attack. 



December 1985 



3 Supported in part by NSF grants MCS-8303139 and DCR-8511713. 
* Supported in part by an IBM graduate fellowship. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 128-137, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



129 



1. Introduction 

As introduced by Diffie and Hellman and further studied by many authors, public-key encryption would seem to 
be inherently assymmetric: messages sent to user A are encrypted using A's public key [6, 16]. This is true both for 
deterministic [15, 13] and for probabilistic [8, 3, 5] implementations of the Diffie-Hellman model. 

In this paper we suggest that users follow an interactive protocol in order to send probabilistically encoded 
messages, and show how this allows the symmetric use of public keys. A's public key will be used to encode 
messages that are sent to A as well as to encode messages that A sends to others, without compromising the key. 
We contrast our protocol with previous interactive schemes, in which public-key encryption was used in order to 
distribute additional private keys that could be used symmetrically by pairs of users [9, IS]; our scheme enables 
symmetric use of the public key itself. 

This capability is useful in a number of cryptographic settings. For example, it enables a casual user who is not 
registered in the central file of public keys to receive a private message. It can also be used in a cryptographic 
network with a trusted central server, through which all messages are routed; here only a single public key is needed 
(cf. [12]). 

We extend our scheme so as to enable the symmetric authentication of an encoded message — that is, the 
authentication both of the sender and of the receiver of the message. This is the first such scheme, in the setting of 
probabilistic encryption, that uses only the encryption keys. 

Probabilistic encryption was proposed in order to hide from an eavesdropper all partial information about an 
encoded message. However, all of the systems discussed in the literature are vulnerable to chosen-ciphertext attack. 
We give a refinement of our protocol (based on [11]) which is provably secure against chosen-ciphertext attack. In 
addition, we give another symmetric public -key encryption scheme, this one based on a minimum-knowledge 
interactive proof-system, which is also chosen-ciphertExt secure [7]. 

2. Background 

In the model introduced by Diffie and Hellman, each user A in a public -key crypto-system has a public 
encryption algorithm E and a private decryption algorithm D. Any other user encrypts a message M that he wishes 
to send to A by computing the ciphertext E(M); only A is capable of computing D(£(M)) = M to recover the original 
message [15, 13]. In order that the ciphertext reveal no partial information about the message, it has been suggested 
that E and£> be probabilistic algorithms [8, 3, 5]. 

We would like A to be able to use her own public key in order to send an encrypted message to another user B. In 
order to do this securely, so that no other users can decrypt the message, it seems necessary to make the transfer of a 
message depend on an interactive protocol between A and B. In this way B can help to choose the random input to 
the probabilistic encryption and decryption algorithms. In the next section we will show how to implement this 
idea; first we sketch the methods of probabilistic encryption that we will use. 

The security of the protocols that we discuss in this paper relies on the existence of hard bits, that is, Boolean 
predicates B for which there is an efficient reduction to B of an assumedly intractable number-theoretic problem. 



130 



Specifically, we will assume that we are given functions of the following form. Let D c {0, 1 }" be a (non-sparse) 
set of n-bit strings, and suppose that f:D— >Z> is a one-way trapdoor permutation. Suppose in addition that 
B : £>-» {0, 1} is an (efficiently computable) Boolean predicate such that f~ l is efficiendy reducible to the "hard 
bit" J?»/"'.*(Yao has shown that, even without such apredicate,/can be used to generate pseudo-random bits [17].) 



/ 

x -> y 



hard bit 



Such a function and its associated Boolean predicate may be used as a cryptographically strong generator of 
pseudo-random bits. Given any element xe D, and two integers j<K we will define 

G(x,j,k) 
to be the bit-sequence 

B{f\x)), B(/>'(x)) B(f k {x)). 



x -> fix) -* f\x) f\x) 

4, 4* 4. 

pad/» b x b 2 ... b n s 



If elements *e D are chosen at random, then the bit-sequences pad(x) = G(x, are indistinguishable (in time 
polynomial in n) from truly random bit-sequences. That is, an efficient algorithm which could distinguish between 
the two sorts of sequences with non-negligible probability could in turn be converted to an efficient algorithm for 
computing/" 1 , contradicting the assumption that f~ l is hard. (For a more complete account of this, see [4, 17, 2].) 
The provable security of these bit sequences permits us to use them to simulate one-time pads. 

The schema just described is an abstraction of two different methods of pseudo-random bit-generation. That of 
Goldwasser, Micali, and Tong [9] requires an n-bit integer N=pq which is the product of two primes satisfying 
either p = q = 3 mod8, orps^=7mod8. The domain D is the set {xs Z N '\0<x<N/2, 1 }; we define the 
function / by fix) =±x* mod N, choosing either + or - so that Q<fix)<NI2, and we define the predicate 
5:Z>->{0, 1} by B(j;) = parity(j:). Both/ and B can be efficiendy computed. The trapdoor information for/is the 
factorization of N; this information enables the efficient computation of (f l ) J [5]. The security of the hard bit of 
this scheme was proved by Alexi, Chor, Goldreich, and Schnorr [1]. 



•We may also have B :D-»{0, 1) , where B is a it-bit "predicate" all of whose bits are simultaneously hart. On this case, the cryptographic 
applications -- modified in the obvious manner — are more efficient by a factor of it) The proofs go through with little charge. 



131 



The pseudo-random bit-generator of Blum, Blum, and Shub also involves squaring modulo a large integer N [3]. 

The first probabilistic encryption scheme, due to Goldwasser and Micali [8], does not use a pseudo-random 
bit-generator; instead, each bit of a message is encoded either as a random quadratic residue or as a random 
quadratic non-residue modulo a large integer which is the product of two primes. More precisely, a public key in 
this scheme consists of JV together with y, a quadratic non-residue mod N with Jacobi symbol +1. To encode a bit, 
one chooses x e Z N * at random and sends either x 2 mod N (a random residue) or yx 2 mod N (a random non-residue), 
according to whether the bit is 0 or 1. For any bit-string s, we will use to denote the set of possible 

encodings of s; thus, if s has length 1 then E N j[s) consists of /-tuples of residues and non-residues mod N. Gaining 
any partial information about an encoded message is as hard as distinguishing residues from non-residues mod N, 
which appears to be an intractable problem without knowing the factorization of N. The trapdoor information which 
enables efficient decoding is exactly this factorization. 

3. Symmetric Encryption Scheme 

We describe here how to encode and decode, using a cryptographically strong bit-generator constructed with a 
trapdoor function as described above. 

Let /be the trapdoor function whose specification is contained in user A's public file; that is, all users in the 
network can compute / quickly, but only A has the trapdoor information enabling her to compute/ -1 . Generalizing 
the scheme of Blum and Goldwasser [5], we show how any other user B can send an encrypted message to A using 
/; we then describe how — using the same function / — A can send a securely encrypted message to B. 

In both cases, the cleartext being sent is an /-bit message M (where / is polynomial in n.) For any element x e D, 
we will use the notation pad{x) = G(x, 1,0- 

Protocol 1 

In the 'forward' or usual direction, B chooses an element *e D at random, and computes pad(Jt), C=pad(j:)©M, 
aniX=/*\x). B sends to Athe encryption of M, namely the pair [C,X], A can decode by computing *=/ _( ' +1) (X) 
andC©pad(j:)=A/. 

Encrypting messages in the opposite direction seems to require some additional communication. We propose the 
following protocol for A to send the message M to B. 

Protocol 2 

• A — > B: "Hi" 

• B chooses x at random in D, 

and computes pad(jc) andX =f M (x) 

• B -> A: X 

• A computes * =/ -<M) (Jir), pad(;t), 
andC=pad(;c)eAf 

• A — > B: C 



132 



• B computes C © pad(jc) - M 

Notice that the information that is available to the eavesdropping adversary, namely X (which serves as an 
encoding of the seed x) and C, is the same in both protocols. 

Under known-message attack, the present scheme is as secure as the problem of inverting/. To be more precise, 
assume that an eavesdropper witnesses polynomially many executions of one or both of the above protocols 
(polynomial in n), and that he knows the message M i that was sent in the ith execution (either sent by user B ; to A, 
following Protocol 1, or sent by A to user B ; , following Protocol 2). Suppose that, after some polynomially bounded 
computation, the eavesdropper is able either (a) to correctly simulate the behavior of A in order to send a message of 
his (the eavesdropper's) choice; or (b) to decode (with probability non-negligibly better than 1/2) one bit of the next 
message that A sends or receives. Then our eavesdropper must be able to compute/" 1 quickly. The proof relies on 
the (polynomial-time) indistinguishability of the pseudo-random bits of pad(x) from truly random bits. 

We now show how the bit-by-bit probabilistic encryption scheme of Goldwasser and Micali can also be adapted 
so as to encode messages either to or from the owner of a public key. Let user A have the public key (N, y). 

As in the original scheme, user B can send a message M to A by probabilistically computing an element 
es E N y(M) and sending it to A. Knowing the trapdoor information, A can recover M from e. We will call this 
Protocol 1*. 

In order for A to send an i-bit message M to B, the two users execute the following protocol. 

Protocol 2* 

• A -> B: "Hi" 

• B chooses pe {0, 1}' at random, 

and probabilistically computes e e E N Jj>) 

• B -> A: e 

• A computes pmdC=p®M 

• A — > B: C 

• B computes C®p = M 

As before, Protocol 2* is as secure as encryption in the usual direction. 
3.1. Applications 

An immediate application of these protocols is to allow encoded messages to be sent to casual users in a network 
without requiring that they undergo any special procedure such as having a key registered in a public-key library. 

If a network includes a trusted central server, then any message can be sent via the server, encoded using the 
server's public key; when A wants to send a message to B, she sends it to the server using Protocol 1, and the server 



133 



sends it on to B using Protocol 2. In this case, only a single public key is needed; there is no need to initialize and 
maintain a public-key library. This may increase the security of the system and decrease its cose 

We observe that if this suggestion is implemented using bit-by-bit probabilistic encryption, Le. with Protocol 1* 
and Protocol 2*, then it is easy to prove that an adversary gains no advantage whatsoever from over-hearing (what 
he knows to be) two encryptions of the same message. 

4. Authentication 

What has been presented so far is purely an encryption scheme. We now assume that each user has his own 
public key, and we consider the problem of user authentication. 

We distinguish two authentication problems that arise when A sends a message to B. There is the problem of 
sender authentication, which is to convince B that it was indeed A who sent the message, and the complementary 
problem of receiver authentication, which is to convince A that it is indeed B who received the message. 

In the usual public-key encryption scheme, in which messages to user A are encrypted using A's public key, 
receiver authentication is assured by the fact that only A knows the private key which is necessary for decryption; on 
the other hand, there is no automatic provision for authenticating the sender of a message. A malicious user C can 
send a message to A, claiming to be B. 

In a standard deterministic public-key scheme, the usual modification to assure sender authentication is by means 
of a "digital signature", specifying that the message be further encrypted using the sender's private key; that is, B 
encrypts his message M to A as D fi £ A (A/) [6\. On the other hand, of the several proposed probabilistic public-key 
schemes, none seems to allow for an easy modification that assures sender authentication. 

In our scheme, whereby A sends messages to others using her own pubhc key, the authentication problems are 
correspondingly reversed. Sender authentication is guaranteed by the fact that only A knows the trapdoor 
information (for inverting f) which is necessary for encryption, while receiver authentication is no longer assured. 
That is, a malicious user C can masquerade as B in an execution of Protocol % since the only secret information in 
the scheme is that of A. 

We suggest that a simple modification of the protocols presented in the last secton allows A to send M to B so 
that both A and B can authenticate their identities to each other. Let/ A ,/ B denote the public encryption functions for 
users A and B, and let D A ,D B be their domains. In the following protocol for A to send an authenticated /-bit 
message U to B, pad(x) and pad(y) are computed using/ A and/ B , respectively. 

Protocol 3 

• A — * B: "Hi, this is A sending a message to B." 

• B chooses x at random in D . , 

A 

and computes pad(x) andX=/ A ' +l (jc). 

• B -» A: X 

• A computes x =f A ^ M) (X), pad(x), 



134 



chooses y at random in £> B , 

computes pad(y), Y~f B M (y), andC=M©pad(*)©pad(y) 

• A — > B: [C, Y] 

• B computes y=f^- M \Y), pad{j), 
and C © pad(j:) © pad(y) = Af 

As with Protocols 1 and 2, this protocol is secure against known-message attack. Moreover, impersonating A or 
B is as hard as inverting/ A or/ B , respectively. 

5. Chosen-Ciphertext Security 

In a chosen-ciphertext attack, the adversary is allowed to have a ciphertext of his choice decrypted. Several 
proposed cryptosystems which are secure against weaker sorts of cryptanalytic attack are easily seen to be 
vulnerable to the chosen-ciphertext attack. In this section we show how introducing interaction to the cryptosystem 
enables us, for the first time, to achieve provable security against this attack. 

For an example of the chosen-ciphertext attack, consider Protocol 2 specified above. B, the receiver of the 
message, can cheat in the following way. Instead of choosing x at random in D and continuing with the protocol, B 
chooses an element yeD, setting X=f'~ l (y)=f l * i (x), where now x is an element which he does not know. 
However, B does know all but the first bit of pad(;c). A, suspecting nothing amiss, sends B the encryption 
pad(*) ®M, all but the first bit of which B can easily decode. If the context of the message allows B to infer the 
value of that first bit, then he has learned the value of the hard bit b l =B'f~ l (y) of a number y of his choice. Since 
our original assumption was that inverting/is efficiently reducible to B'f~ l , this is a successful attack. 

*=r 2 (y) -> r l <y) -» y -» •■• -> /~ 2 (y) -* x=/' _1 (y)=/ + V) 
11 i 
pad(*) = b x b 2 ... b, 



With the implementation using the bit-generator of Goldwasser, Micali, and Tong (see section 2), we now show 
how to refine Protocol 2 so that the resulting scheme is chosen-ciphertext secure. This refinement, based on the 
work of [1 1], is due to Silvio Micali. 

Protocol 4 

• A — » B: "Hi" 

• B chooses at random x,x^,x^, . . . ,x n in Z^*, 

and computes padfc), X=/ +1 M, andX.=/' +1 (;c.) 0=1, . . . ,n) 

• B — > A: X,X i (i=l n) 

• A -» B: a random subset Sc{l n} of size nil 



135 



• B -> A: {xjie S} and {xXjmcdN\je S] 

• A checks that/' +1 (* i )-X i forie Sand/ +l (xxJ) mXXjtnod N for je S; 
if so then A -» B: Af©pad(.c), 

otherwise A halts (detecting cheating) 

This protocol is secure against an eavesdropper; furthermore, it is secure against chosen-ciphertext attack by 
B. The protocol ensures that if A does not halt the transaction, detecting cheating, then with very high probability B 
has not cheated. In fact, the refinement may be regarded as a protocol during which B proves to A that he knows the 
number x, without gaining any additional knowledge -- for example, about the integer N. (Such a protocol is called 
a minimum-knowledge interactive proof system [11, 7].) 

The same protocol will work, mutatis mutandis, as long as D is a group (in which we can compute efficiently) 
and/ is an automorphism of the group. 

We now sketch another solution to the problem of the chosen-ciphertext attack. In order to avoid any chance that 
A's public key be compromised by B's clever choice of random input to a probabilistic encryption protocol, we 
require that A choose the input; we proceed as follows. The solution has two stages. In the first stage, A chooses a 
sequence of random bits and transmits them one by one to B; these transmissions, of course, must be 
cryptographically secure. This can be accomplished by means of the minimum-knowledge protocol introduced in 
[7]; following this protocol, A can prove to B the value of a Boolean predicate in such a way that no eavesdropper 
can tell whether that value is 0 or 1, and so that B gains no additional knowledge at all. In the second stage, the 
sequence of bits can be used as the seed for a pseudo-random bit-generator; in this way, A and B simulate a shared 
one-time pad (of length polynomial in the length of the seed exchanged in the first stage). 

6. Conclusions 

By extending the capabilities of public -key encryption, we have demonstrated the power that interaction adds to 
the capabilities of cryptographic systems. Further study of interactive protocols promises to be of great use to 
cryptography. We take note here of the work of Rackoff in rigorous modeling of cryptosystems, including 
interaction [14]. 

The problem remains open of specifying a cryptosystem which does not use interaction and proving it secure 
against chosen-ciphertext attack. Perhaps a first step in this direction would be to allow some sort of limited 
interaction. For example, rn the signature scheme of [10], which is secure against the analogous attack, the 
dependence of any signature on the history of previously signed messages (or on a random-function construction) 
may be regarded as an instance of interaction with that history (or with the random-function generator). 

Acknowledgments 

We would like to thank Silvio Micali for his encouragement of and major contributions to this work. 



136 



References 

[I] W. Alexi, B. Chor, O. Goldreich, and CP. Scfinorr. 
RSA/Rabin bits are 1/2 + l/poly(log N) secure. 

In Proc. 25th FOCS, pages 44M57. IEEE, 1984. 

[2] Angluin, Dana and Lichtenstein, David. 

Provable Security of Cryptosystems: a Survey. 

Technical Report YALEU/DCS/TR-288, Yale University, October, 1983. 

[3] L. Blum, M. Blum, and M. Snub. 

A simple secure pseudo-random number generator. 
In Crypto '32. 1982. 

[4] Blum, M. and Micali, S. 

How to generate cryptographically strong sequences of pseudo-random bits. 
In Proc. 23rdFOCS, pages 112-117. IEEE, 1982. 

[5] M. Blum and S. Goldwasser. 

An efficient probabilistic public-key encryption scheme which hides all partial information. 
In Crypto '84. 1984. 

[6] W. Diffie and M.E. Hellman. 
New directions in cryptography. 

IEEE Trans, on Inform. Theory YV-22: 644-654, November, 1976. 

[7] Z.Galil, S.Haber, and M.Yung. 

A private interactive test of a Boolean predicate and minimum-knowledge public-key cryptosystems. 
In Proc. 26th FOCS. IEEE, 1985. 

[8] S. Goldwasser and S. Micali. 

Probabilistic encryption and how to play mental poker keeping secret all partial information. 
In Proc. 14th STOC, pages 365-377. ACM, 1982. 

[9] S. Goldwasser, S. Micali, and P. Tong. 

Why and how to establish a private code on a public network. 
In Proc. 23rd FOCS, pages 134-144. IEEE, 1982. 

[10] S. Goldwasser, S. Micali, and RX. Rivest 

A ' 'paradoxical' ' solution to the signature problem. 
In Proc. 25th FOCS, pages 441-448. IEEE, 1984. 

[II] S. Goldwasser, S. Micali, and C. Rackoff. 

The knowledge complexity of interactive proof systems. 
In Proc. 17th STOC, pages 291-304. ACM, 1985. 

[12] R.M. Needham and MD. Schroeder. 

Using encryption for authentication in large networks of computers. 
Communications of the ACM 21(12):993-99, December, 1978. 

[13] M. Rabin. 

Digitalized signatures and public-key functions as intractable as factorization. 
Technical Report LCS/TR-212, MIT, January, 1979. 

[14] C. Rackoff. 

Cryptography: lecture notes. 
1985. 

[15] R.L. Rivest, A. Shamir, and L. Adleman. 

A method for obtaining digital signatures and public key cryptosystems. 
Communications of the ACM 21{2):120-126, February, 1978. 



137 



[16] GJ. Simmons. 

Symmetric and assymmetric encryption. 
Computing Surveys 11:305-330, December, 1979. 

[17] A.C. Yao. 

Theory and applications of trapdoor functions. 
In Proc. 23rd FOCS, pages 80-91. IEEE, 1982. 

[18] M. Yung. 

Cryptoprotocols: subscription to a public-key, secret blocking and the multi-player mental poker game. 
In Crypto '84. 1984. 



SOFTWARE PROTECTION: 
MYTH OR REALITY?* 



James R. Gosler 
Sandia National Laboratory 
Division 7233 
Albuquerque , N.M. 87185 



Abstract: 

Staggering amounts of commercial software are marketed to fulfill 
needs from the PC explosion. Unfortunately, such software is trivial 
to duplicate! From the vendors' viewpoint a way to protect profit is 
needed. Typically, they have resorted to various schemes that at- 
tempt to inhibit the duplication process. 

Although protection of future profit is important, so is protection 
against current loss. Commercial and business related software must 
be adequately protected lest data be stolen or manipulated. However, 
more important than any of these classes is protection of government 
computer resources, especially classified and operational software 
and data. Loss of control in this realm could be detrimental to 
national security. 

This paper addresses current technologies employed in protection 
schemes: signatures (magnetic and physical) on floppy disks, 

*This work performed at Sandia National Laboratories, 
supported by the Department of Energy under contract 
No. DE-AC04-76DP00789 . 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 140-157, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



141 



Software Analysis Denial (SAD) , Hardware Security Devices (HSD) , and 
Technology Denial Concepts (TDC) are presented, with an emphasis on 
SAD. Advantages and disadvantages of these schemes will be 
clarified. 



1 . 0 INTRODUCTION 



Software piracy, unauthorized penetration and system 
modification! 12 , 13 ] are areas of threat to government and business 
computer systems, even the economic survival[6] of many software 
vendors is in peril. Vendors are typically using three main 
strategies to combat the piracy dilemma. The strategies [ 16 ] , usually 
used in combination, include marketing, legal, and technological. A 
typical marketing strategy is to price software at an extremely 
attractive figure in the hopes that each potential customer will 
purchase it, especially to receive the required documentation and any 
technical consultation. The legal ploy [7] includes sueing for 
copyright or licensing agreement violations. These schemes by them- 
selves have limited effect, but are useful in combination with other 
strategies. Technological schemes are extremely varied in detail, 
though they can be typically grouped into a few categories. The 
effectiveness of these technical schemes vary substantially and this 
is a major topic of the paper. The technological arena provides the 
only substantial methodology to combat software threats in government 
and business application fields. 



Concerns other than just preventing duplication of software are 
very important. For instance, software vendors may wish to protect 
against disclosure of proprietary algorithms, banking executives must 
prevent their system programmers from being able to examine or modify 
bank accounts, and government entities must design defense systems 
software with an intrinsic ability to prevent tampering of critical 
components or information. There are many examples where the hiding 
of critical information in software or detection of modified software 
is desirable, possibly mandatory. These conditions are found in all 



142 



types of computer related applications, but have yet to receive the 
attention they deserve. One of the greatest flaws current banking 
and government computer security systems have in common is an im- 
plicit assumption that the adversary does not have access to a 
system. There are many recent examples that show this is not a good 
assumption! Obviously, this assumption, concerning potential adver- 
sary access, is not the case with copy protection schemes where the 
system is essentially thrown into a den of "wolves". 

The overall intent of this paper is to discuss current 
capabilities of both the defense and the threat, provide a comparison 
between them, and suggest a set of goals for the ultimate software 
protection system. 

Examples used in this paper are fictitious, but at the same time 
are representative of current copy protection techniques. However, 
we will neither deal with the issue of how protection schemes impact 
the end user nor address any specific defeat methodologies to com- 
promise current security schemes. The IBM PC, used by the author, 
will serve as a vehicle for examples. 



2.0 FUNDAMENTAL COHCEPTS 

We will provide some fundamental principles of copy protection 
and relate these via an analogy before discussing some of the techni- 
cal concepts associated with defense and threat. 

There are two broad components in a copy protection scheme. The 
first is a uniqueness associated with the system, which must be 
difficult to reproduce. Typically this is done with an unusual 
sector (s) on a floppy disk or by using a Hardware Security 
Device (HSD) that is separately attached to the system. The other 
component is special software that is usually embedded somewhere 
within application software and it is responsible for interrogating 
the presence of the uniqueness in the system. If present the special 
software may also determine if the uniqueness is pristine or altered. 



143 



A security or copy protection system of this type can be beaten 
by two general methods; by duplicating the unique signature as- 
sociated with the system or by modifying the software (application or 
system) in such a manner that application software will operate 
without the unique signature being present. The adversary need use 
only one of the above methods and generally the easiest is chosen. 

Thus, not only must the defense design a difficult to duplicate 
unique signature but, must also make it hard for an adversary to 
analyze and/or modify the software. Interestingly, many software 
packages, which employ some form of copy protection, do nothing to 
make analysis and/or modification of software difficult for the 
adversary — these schemes are easily defeated. Importantly, it is 
this component of a good security scheme that has many applications 
outside the field of copy protection. 

Another way of looking at the analysis and modification problem 
is by analogy using a burglar alarm. Suppose that a valuable asset 
must be protected and to do this we place the asset in a vault and 
surround it with an alarm system having many different types of 
sensors. These sensors are responsible for detecting changes to the 
normal operating environment. Upon detection, the alarm will be 
triggered, guards will appear, and the burglar will be permanently 
detained. In this analogy the valuable asset could be special 
software that checks for the presence of the unique signature. The 
sensors could also be special software which attempts to determine if 
the operating environment has been modified due to the use of, for 
instance, dynamic analysis tools by the adversary. Finally, the 
alarm might be anything from displaying an UNAUTHORIZED DUPLICATE 
message to implanting a worm (software which will cause harm to the 
system) in the software. 

For the software case it is feasible that an adversary has 
analysis tools with special properties that will not alter the 
monitored environmental parameters. Thus, the software can be 
analyzed easily without detection. In most cases even if detection 
occurs nothing terrible happens. Guards do not appear nor are worms 
implanted. The adversary, therefore, has an unlimited try capability 
and through repeated experiments will eventually win. 



144 



3.0 THE DEFENSE 

A vendor wishing to protect his system will want duplication of 
the unique signature to be difficult for an adversary. He will also 
want it to be difficult to analyze or modify the software, which 
could bypass the need to duplicate the unique signature. Even the 
necessity of hiding proprietary algorithms may be appropriate. 
Government system software designers have similar objectives, but for 
different reasons . In order to prevent the adversary from having a 
working model of the system with which he can perform analysis at his 
leisure, designers want duplication to be difficult. However, the 
most important objectives are to make it extremely arduous to modify 
the system in a way that bypasses critical features (checks) and to 
obtain sensitive information (e.g. crypto variables) . For both cases 
the objectives of the defense are threat scenario dependent. As 
such, designers must consider the ways in which their systems are 
vulnerable to an adversary and then take steps to thwart or nullify 
adversarial intrusion. 

It is apparent that software developers with diverse applica- 
tions have similar needs from the realm of software protection 
although the reasons they need protection are as diverse as the 
applications. 

How can the defense achieve his objectives? As a vehicle to 
unveil techniques and concepts, we will employ an IBM PC as the 
system and copy prevention as the objective. 

3.1 UNIQUE SIGNATURE 

To make duplication of software difficult there must be an 
additional component(s) included in the system specifically to 
provide trouble for an adversary to reproduce. This component(s) 
usually falls into one of two categories in the commercial world. 

The first category is comprised of a unique signature on the 
floppy disk itself. Typically, this comes in both a physical and a 



145 



magnetic form. The physical signature involves removing a small 
amount of magnetic material from the floppy disk surface with a 
laser. The scheme is implemented by software that writes some infor- 
mation to this damaged area and then reads the information from the 
same area back into memory. If the information read is the same as 
that which was written, then clearly there was no laser damage on the 
disk at the proper location. We can conclude the software/disk 
combination is not the original. 

A magnetic form of floppy signature involves altering the stan- 
dard IBM System 34 (double density) [11, 18 ] recording format. Besides 
end user data, each track contains address marks, gap bytes (sync 
fields), sector ID fields, Cyclic Redundancy Check (CRC) bytes, and 
clock bytes. All of this information must be present and correct in 
order for the Intel 8272A floppy disk controller (FDC)[9,14] to 
properly process the end user data. It is quite possible, by alter- 
ing this standard format [5], to cause the FDC to return an error 
status message back to the microprocessor (Intel 8088) [9 , 14 , 15] as a 
result of a disk operation. Examples of typical errors are bad CRC, 
sector not found, and address mark not found. For the system to 
determine that the unique signature is present, the software need 
only perform a disk operation (s) and then determine if correct error 
status is returned. It is also possible to create a non-standard 
disk format by issuing an unusual sequence of commands to the FDC or 
by using special hardware which bypasses the FDC and its inherent 
limitations . 

The second category of unique signature consists of a hardware 
security device (HSD) [17], which is currently being used in many of 
the more expensive software packages. The HSD can be connected 
externally to the PC via the RS 2 32 port, the parallel port, or even 
placed in series with the keyboard. It is rarely connected inter- 
nally since it typically requires use of a valuable card slot. 

The manner of HSD implementation within a system also varies. 
In its simplest form the system will send a fixed value to the HSD 
which then responds with a fixed value. The software will compare 
the response with a stored value to determine if the HSD is present. 
In more sophisticated versions, the system will send to the HSD and 
receive from it a variable value, and possibly even have part of the 



146 



software encrypted and stored in the HSD. HSD advantages (from a 
security point of view) are that it is more difficult to duplicate 
than a floppy signature and it is not as obvious to an adversary when 
the system is looking for the unique signature. 

The HSD is much more expensive, which constitutes its primary 
disadvantage, and therefore is usually not used in cheaper software. 

3.2 SOFTWARE ANALYSIS DENIAL (SAD) 

What is currently being done in commercial software to make 
adversarial analysis and/or modification of the software more 
difficult? 

In the copy protection game, it does little good to have a 
unique signature, impossible to duplicate, if the adversary can 
easily modify software such that the signature need not be present 
for proper operation. Consequently, it is imperative to have a well 
balanced protection scheme — the difficulty of duplicating the 
signature should be comparable to analyzing and modifying the 
software . 

Since the most common tool used by an adversary is a software 
debugger, we will limit remarks to techniques the defense can employ 
to make analysis from this source more difficult. However, we will 
also address some techniques being used to make modification of 
critical or non-commercial software difficult. 

Given that the defense knows what tool(s) the threat will likely 
use, he must determine how the normal operating environment will be 
altered by use of these tools. For the case of a debugger, there are 
available several modifications to the environment. 

The first and most obvious change is that the debugger must 
reside in the same memory space as the application, thus, a foreign 
presence can be checked for. Typical debuggers depend heavily on 
certain interrupt vectors to single step and breakpoint the applica- 
tion software. Application software then could easily integrate the 



147 



use of these vectors into the application itself and thereby create 
difficulty in using the adversary debugger. Quite often in the 
analysis effort, it is convenient for the adversary to modify 
registers and/or memory locations to help in understanding of the 
software. Difficulty can be enhanced by making the proper execution 
of software highly sensitive to not only memory location and 
registers used, but to all memory locations and registers available. 
Finally, the application should have code which is timing sensitive 
because analysis of the software will alter its correct timing. 

Assuming that the adversary can, through analysis, determine 
what he needs to modify, then the defense needs to employ techniques 
to make the desired modification difficult. The most common tech- 
nique seems to be through use of checksums. If the defense realizes 
where an adversary will likely modify the software then they will 
perform checksums on this area of code hoping that any change to the 
critical code will alter the value of the checksum. Encrypting the 
critical software is another technique. If the adversary, through 
analysis, examines the decrypted form of the critical code and deter- 
mines what needs modification, then he also must determine how to 
alter the cipher text that will yield the desired result. Public key 
cryptography is useful in this area. For example, if the algorithm 
used to encrypt the critical software was RSA and only the decrypt 
key was stored in the system, then the adversary would have an ex- 
tremely difficult time determining how to change cipher text to 
achieve the desired plain text. 

Numerous other techniques are currently being used in the com- 
mercial world, such as executable software movement, searching for 
breakpoint instructions and taking advantage of the Intel 8 088 pre- 
fetch queue. 

3.3 TECHNOLOGY DENIAL CONCEPTS (TDC) 

Assuming acquisition of a working system, it is imperative to 
keep the adversary from performing dynamic analysis on it in an 
interactive fashion. If he is allowed to perform this interactive 



148 



dynamic analysis, he will eventually be able to locate and bypass all 
of the SAD features discussed in 3.2. 

For this reason the adversary must be made to pay a penalty each 
time he is detected by SAD sensors. This penalty could be anything 
from destroying critical system components that would disallow fur- 
ther testing with that particular system to subtly altering the 
system in such a way as to provide disinformation, which is of no 
pertinent value, to the adversary. 

Unfortunately, from the pure security viewpoint any commercial 
product containing or even suspected of containing TDC will suffer 
exceedingly due to consumer abhorrence and consequent economic 
leverage. This was typified by the irate consumer response directed 
against several software security vendors who boldly announced the 
intended use of worms in a future release of their products. 



4.0 THE THREAT 

Adversarial objectives of the threat are diverse. They encom- 
pass pirating commercial programs, subverting banking or government 
software, and stealing software-based proprietary algorithms. For 
example, suppose that companies A and B both produce and market an 
RSA encryption program. Further suppose that B's product is substan- 
tially slower than A's version primarily due to the speed of the 
algorithm responsible for finding large prime numbers. Company B's 
programming analyst could acquire a copy of A's program, reverse 
engineer the software, and then "borrow" the faster algorithm. 

For government and perhaps business applications, the adver- 
sary's objectives are similar. Suppose the military has a computer 
based weapon control system. Part of its system software, respon- 
sible for access control, is password protected. To access the 
control system that will allow use of the weapon system without 
knowledge of a legitimate password, or to deny use of the weapon 
system to an authorized user the adversary must acquire tools to 



149 



duplicate the software and then determine what modifications would be 
necessary to alter the control system. 

Before we discuss tools with which the threat attempts to ac- 
complish his objectives, we need to provide a working definition of 
the adversary. The threat can be subdivided, in general, into in- 
sider and outsider categories with authorized access being the main 
difference between the two. The insider threat could be anyone from 
the designer of the system to an authorized end user of the fielded 
system. Thus, the insider threat can be broken into two categories: 
those intimately knowledgeable with the system, such as the design 
team, and those with little or no knowledge but having authorized 
access. However, this paper will not address the problem associated 
with the threat being part of the design team. 

Since access control is typically a separate security issue, the 
outsider threat scenario considered will usually be under the assump- 
tion that the threat has already gained access to the system. Thus, 
for the purposes of this paper, a conservative approach is taken in 
that both the insider and outsider threat are considered essentially 
equivalent. 

4.1 THREAT TOOLS 

Adversarial tools that threaten commercial and perhaps other 
software fall into two main categories: tools used to duplicate the 
unique signature or its effect, and tools used to analyze software 
and hardware. They vary from no cost to $100K+ and are readily 
available. 

If the unique signature is an unusual magnetic encoding on a 
floppy, then there are many commercial products available that will 
analyze the floppy and attempt to replicate the signature. However, 
these software tools share one deficiency: all utilize the FDC for 
their analysis and duplication efforts. But, there exists unique 
signatures that are currently being used that were not created using 
the FDC and all its limitations. For example, some vendors use 
special hardware that will generate "weak bits". These bits are 



150 



impossible to duplicate using the FDC and are thus felt to be more 
secure by the vendors. unfortunately, there are also available 
products [3] capable of separately encoding each bit cell on a track 
and at a variable flux density. Such products make duplication of 
all magnetically encoded unique signatures on floppy disks effec- 
tively trivial. 

Even if the signature is a result of physical damage to the 
disk, the adversary has several options. First, with appropriate 
equipment, he can attempt to duplicate the physical damage, which 
could be difficult even with expensive equipment. However, depending 
upon the motivation and resources of an adversary, it is certainly 
feasible. A simpler and cheaper approach would be to alter the 
system so that software which checks for damage is "fooled" into 
thinking that the damage is present. This might be done by front- 
ending certain interrupt vectors which are tied to the FDC. Such 
front-end software would change the status of the FDC command to the 
correct and expected values. 

If an HSD is installed as the signature then attacks similar to 
the physical damage case could be employed. Usually it is a 
straightforward task to alter software that is communicating with the 
HSD using a technique that renders the HSD needless. A much more 
complicated technique for defeat would be to duplicate the HSD. 
However, this addresses the tools and techniques of analyzing and 
duplicating microcircuitry, which is beyond our scope. 

The adversary will make use of two general classes of tools in 
his analysis effort: static and dynamic. Assuming he has acquired 
use of the system, the adversary will use these tools against the 
binary form of software. For example, static tools can be used to 
locate all branching instructions and/or all occurrences of an INT 
13H (disk operation) instruction. These classes of tools can often 
provide a good starting point for application of dynamic analysis 
tools. Actually, the more structured the programming methodologies 
the more straightforward it is to use these tools. This situation is 
certainly better for the adversary. 

Dynamic analysis tools are the real workhorses for the 
adversary. They include software debuggers [ 1 , 2 , 4 ] , in-circuit 



151 



emulators (ICE) [8,10], and simulators. We have determined that the 
software debugger and ICE type tools are particularly useful for 
analyzing software systems. 

These dynamic tools allow the adversary to execute the software 
in a controlled fashion. That is, the software- can be executed one 
instruction at a time (single step) . Then between instructions the 
analyst can examine/modify registers and/or memory locations. In 
addition to the single step mode, the analyst can also stop process- 
ing as a function of several other types of events. For example, 
execution could be halted and the environment examined/modified when: 

1. Instructions are fetched or executed 

2. Operands are fetched or modified 

3. I/O ports are referenced 

4. Memory/register contents reach predetermined values 

Simple but powerful tools such as these give the adversary an 
enormous amount of information and consequently, it becomes a nearly 
straightforward task for the analyst to wade through the software to 
achieve his objective. The only difficulty that the analyst must be 
aware of is modification of the operating environment in a way that 
will trip a security sensor. Fortunately, for the adversary, even if 
he trips a sensor there will not be a debilitating penalty in most 
current systems. Thus, through an iterative process he will even- 
tually work his way through or around all the sensors on the path to 
his objective. If the adversary's tools modified the environment in 
a detectable fashion and a significant penalty were imposed then the 
adversary is forced to proceed at a far slower pace. He must execute 
smaller blocks of code before hitting a breakpoint and he must also 
attempt to fix any environment modifications. Depending on the 
payoff, however, the adversary may well be willing to pay this extra 
price to analyze systems using penalties. 

5.0 THREAT VS. DEFENSE 

We have briefly discussed the objectives, tools and techniques 
of the two players. Our purpose here is to point out some strengths 
and weaknesses of the schemes currently being used commercially. 



152 



Many advantages in this game reside with the threat. As always, 
the adversary plays his cards last and thereby gets to attack a 
static security design. Beyond this there is another major obstacle 
for any cryptographic solution to the security dilemma. Even though 
the defense uses cryptographic schemes to scramble the executable 
software he must include not only the decryption algorithm but also 
all of the necessary cryptographic keys as part of the system. 

The weakest characteristic of these schemes is the fact that the 
adversary never has to pay a penalty and in effect has an unlimited 
number of tries in order to achieve his objectives. To make matters 
worse some schemes typically broadcast to the outside world that a 
security violation has occurred. They will usually provide for the 
adversary a detailed road map to the sensor location. This weak 
characteristic alone makes defeat of these security schemes sig- 
nificantly easier 1 

Currently, many systems use a security front-end to their ap- 
plication software. This is done for several reasons, one of which 
is that it does not require modification to the application software, 
which makes the addition of protection easier for the vendor. 
Unfortunately, these front-ends are typically very easy to completely 
remove leaving the adversary with the unprotected application. Also, 
due to the proliferation of security schemes numerous software ven- 
dors purchase and use the same security package. Consequently when 
one package is defeated the rest will fall in short order and with 
minimal effort. 

As previously stated, it appears that ail of the more advanced 
security schemes rely on the use of clever programming tricks to 
detect an adversarial presence. This tends to make the reverse 
engineering process more difficult. It is not clear, however, as was 
pointed out in Simmons [19], how effective these defensive tricks can 
be designed to preclude or significantly delay the adversary from 
ultimately achieving his objectives. 

Fortunately, there are several techniques that could be employed 
to make software analysis/modification more difficult. Most impor- 
tantly, the adversary must be made tc pay for his mistakes. A 
suitable penalty in the commercial world would simply be to make the 



153 



application software nonfunctional. The best way to alter the 
software to a nonfunctional state is to cause the software to fail 
intermittently with subtle problems. For example, suppose the XYZ 
corporation produces and markets a CAD/CAM program. Upon detection 
of an adversarial presence the penalty to be invoked might be to 
alter the software so that the drawings sent to a plotter will ran- 
domly miss pen strokes. In the case of spreadsheet software, the 
numerical calculation associated with the spreadsheet columns could 
be subjected to random errors. 

With proper implementation of this type of penalty the adversary 
will not be tipped off that he has been caught. Later when he or his 
customer is using the application software there is a good chance 
that he will not associate the sporadic (flaky) operation to the 
pirated copy. This sort of tactic prevents another and perhaps more 
intensive attack on the target software. 

Many other techniques could be used to improve the security of 
software using current methodologies. However, we feel they, at 
best, provide very limited protection from a sophisticated opponent. 
The security of the system should not depend heavily on how cleverly 
the designer implemented his tricks. An enormous need exists for 
software security systems that provide a high degree of predictable 
protection. What we really need are methodologies whose security is 
comparable to that of a good cryptographic system. 



6.0 RESEARCH GOALS 

Research applications in this area will impact software based 
systems in four distinct domains: 1) security level 2) cost 
3) reliability 4) performance. Obviously, the optimum objective of 
SAD/TDC is to provide maximum security at minimal cost, with no 
impact on system reliability or degradation of system performance. 
This is an impossible task. However, depending on the application, 
the above optimum objective could be relaxed and realistic require- 
ments could still be achieved. 



154 



Ideally, the level of security provided by SAD/TDC is equivalent 
to security associated with modern cryptographic based systems. That 
is, the compromise of a system should be dependent on the adversary 
dealing with the computational complexity issue. As mentioned, 
however, all SAD/TDC currently being employed involve the use of 
clever tricks and attempts to conceal information from the adversary. 
After refinement, perhaps even these techniques may be adequate for 
limited situations. For example, suppose our secure system, which we 
have control over, is one in which the unique information (a special 
algorithm perhaps) can be made obsolete within one week after detect- 
ing loss. If so, a security system which provides at least two weeks 
of delay to the adversary may be adequate. In the limit then our 
secure system could have its uniqueness changed inside the cycle time 
of an adversary. 

Costs of these sorts of systems can be broken into three 
categories: 1) development 2)production and 3) administration. 
Development, that is the cost to design and integrate the security 
subsystems into the applications, is a one-time item and thus, this 
cost increase will usually have the most latitude. However, addi- 
tional production costs will be incurred for each system produced and 
as such, may receive much closer scrutiny from management. On the 
other hand, in an extremely high security application, as is the case 
with control for nuclear weapons, costs become of secondary impor- 
tance, so an increase of perhaps a few thousand dollars for the 
security system becomes acceptable. Administrative costs are as- 
sociated with maintaining system security requirements, such as the 
need for key management. Costs such as these are recurring and 
potentially substantial. The security designer should always be 
attentive to this area. 

Many of the application systems that need added security have 
requirements for extremely high reliability. For this reason the 
security designer must be very careful with use of certain techniques 
such as timing tricks. Many times a security system undergoes an 
independent review process, which is designed to determine if subver- 
sive features (trapdoors, trojan horses, etc.) are present. 
Unfortunately, it may be more difficult to detect designer induced 
subversive constructs due to current techniques being used by the 
designers to improve system security. 



155 



Based on this current state of affairs, if the software designer 
were a covert agent, then he could compromise the integrity of the 
system while appearing to increase its security! 

Finally, the issue of system performance can be of overriding 
importance depending on the application. The key idea is to minimize 
or eliminate such adverse effects. If an application is the guidance 
subsystem software for a defensive missile then performance degrada- 
tion could not be tolerated. For instance, the systems reduced 
capability to update the missiles parameters nay result in an unac- 
ceptable reduction of kill ratio. 

Now, we would like all parameters of a security subsystem skewed 
in our favor in an optimal fashion, but realistically this does not 
seem feasible. Compromises will need to be made with the security 
design as a function of application system requirements so that an 
optimum balance is achieved. 



7 . 0 SUMMARY 

Considerable effort and resources are expended to prevent 

"hackers" or outsiders from attaining illegal access to computer 

systems. The same is not true, unfortunately, concerning the insider 

adversary having access to a computer system. Partial or complete 
access can lead to unauthorized duplication or modification of the 
systems software. 

Current defense methodologies are not adequate to prevent or 
even significantly delay an insider adversary from achieving unethi- 
cal to illegal objectives. Many software applications in both 
business and government sectors are in dire need of effective tech- 
niques to thwart an insider or outsider (who has acquired access) 
attack. Although the level of security offered through current 
methodologies can be enhanced to some degree, the results will still 
be unsatisfactory because the problem stens from these marginal 
methodologies . 



156 



We must provide new developments that, for example, explore the 
world of cryptology and exploit the limits of numerical complexity to 
the extent the security of a system is provable, or at least predict- 
able. With this sort of focus perhaps, the myths of software 
protection and security can be transformed to reality. 



8.0 REFERENCES 



1. S. Armbrust and T. Forgeron, "Entymological Explorations", PC 
Tech Journal ■ vol. 3, no. 1, (Jan. 1985), pp. 88-109. 

2. S. Armbrust and T. Forgeron, "Untangling Problems", PC Tech 
Journal ■ vol. 3, no. 4, (Apr. 19S5) , pp. 81-95. 

3. COPYIIPC Option Board Manual, Central Point Software, (1985). 

4. D. Daftwyler, "Professional Debugging", PC Tech Journal , vol. 3, 
no. 3, (Mar. 1985), pp. 60-73. 

5. Disk Mechanic Technical Manual for the IBM Personal Computer, 
MLI MICROSYSTEMS, (May 1985). 

6. D. Gabel, "Copy Protection", PC Week , vol. 2, no. 34, (Aug. 
1985) , pp. 35-37. 

7. G. Geruaise Davis III, Esq., Software Protection: Practical and 
Legal Steps to Protect and Market Computer Programs , Van 
Nostrand Reinhold, New York, (1985) . 

8. HP 64000 Logic Development System Model 64620A Logic 
State/Software Analyzer Reference Manual, P/N 64520-90903, 
Colorado Springs, HEWLETT-PACKARD, (1982) . 

9. IBM Personal Computer Technical Reference Manual, IBM, (Apr. 
1983) . 

2 

10. I ICE Integrated Instrumentation and In-Circuit Emulation System 
Reference Manual, P/N 163252-003, INTEL, (1984). 

11. ISBC 204 Flexible Diskette Controller Hardware Reference Manual, 
P/N 9800563-02, INTEL, (1979). 

12. B. Landreth and H. Rheingold, Out of the Inner Circle: A 
Hacker's Guide to Computer Security , Microsoft Press, Bellevue, 
Washington, (1985). 

13. S. Levy, Hackers Heroes of the Computer Revolution , Anchor 
Press/Doubleday, Garden City, New York, (1984). 

14. Microsystem Components Handbook: Microprocessors and 
Peripherals, vol. 142, P/N 230S43-002, INTEL, (1985). 



157 



15. S. Morse, The 8086/8083 Primer: An Introduction to their 
Architecture, System Design, and Progr amming , Hayden, Rochelle 
Park, New Jersey, (1982). 

16. D. Parker, Fighti ng Compu ter Crime, Charles Scribner's Sons, New 
York, (1983). 

17. W. Rosen, "Internal Security", PC Week , vol. 2, no. 18, (May 

1985) , pp. 89-108 . 

18. Shugart OEM Manual: SA 810/860 Single/Double-Sides Half-Height 
Diskette Storage Drives, (1982). 

19. G. Simmons, "How to (Selectively) Broadcast a Secret", 
Proceedings of the Symposium on Security and Privacy , Oakland, 
California, (Apr. 22-24, 1985), pp. 108-113. 



Public Protection of Software 



Amir Herzberg and Shlamit 5. Punter 

Dept. of Electrical Engineering 
Technion - Israel Institute of Technology 
Haifa 32000. ISRAEL 

Abstract 



One of the overwhelming problems that software producers must con- 
tend with, is the unauthorized use and distribution of their products. 
Copyright laws concerning software are rarely enforced, thereby caus- 
ing major losses to the software companies. Technical means of pro- 
tecting software from illegal duplication are required, but the available 
means are imperfect. We present, protocols that enables software pro- 
tection, without causing overhead in distribution and maintenance. The 
protocols may be implemented by a conventional cryptosystem, such 
as the DES, or by a public key cryptosystem, such as the RSA. Both 
implementations are proved to satisfy required security criterions. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 158-179, 1986 
© Springer- Verlag Berlin Heidelberg 1986 



159 



1. Introduction 

Great losses to software producers are currently incurred due to tbe ease of 
copying most computer programs. It is common practice for one user to buy a 
software product, and without the producer's consent to give or sell it to other 
installations. The economic value of software protection resulted in many pro- 
ducts that supplied means to protect software. It is shown in [HK84] that many 
commercially available means suffer from some of the following deficiencies: 

1. Insufficient protection. 

2. Impaired backup capability (for the innocent user). 

3. Narrow range of applicable systems (i.e., methods that protect only 
firmware). 

4. Obstacles for distribution and maintenance, of the computers and the 
software. 

5. Excessive overhead in total costs or in execution time. 

This paper describes and proves the security of a software protection 
system that does not suffer from the deficiencies indicated. A preliminary version 
of PPS (Public Protection of Software) has been presented, with other software 
protection methods. In [HK84]. In contrast with the deficiencies outlined above, 
PPS provides: 

1. Provable, hence reliable, protection. 

2. Undisturbed backup capability. 

3. Applicable on virtually all systems. 

4. Simple, undisturbing protocols for distribution and maintenance. 

5. Reasonable overhead in total costs and execution speed. 

PPS requires modifications to the architecture of the processor. Therefore, 
it can only be implemented by CPU manufacturers. In a recent paper [AMB4], 
another software protection method (henceforth referred to as AM) was presented 
that requires similar modifications to the internals of the processor. PPS differs 



160 



mainly in the protocols used. The PPS protocols require less communication 
between the parties, and minimal intervention of the key generating body (denoted 
Z) and the software producer. For example, communication between the software 
producer and the system integrator before the protection of each product is not 
required. This communication is essential in AM. In addition, PPS provides proto- 
cols for replacing malfunctioning CPUs and indirect software distribution (via a 
dealer). AM does not provide protocols for those functions. A detailed comparison 
of PPS and AM may be found in Section 2.1. 

PPS is the combination Df three protocols, two for the distribution of software 
and one for replacement of malfunctioning CPUs. PPS may be implemented either 
by public key cryptosystems or by conventional cryptosystems. Section 2 
discusses the protection supplied by PPS. In Section 3 we describe how PPS may 
be implemented by public key cryptosystems (PPS/PK). Section 4 a formal model 
for discussing the security of PPS is presented. Tbe security of the public key 
cryptosystem implementation is then proved. This implementation is straightfor- 
ward, but the conventional cryptosystem implementation (PPS/C) presented in 
Section 5 seem to be much more realistic. Section 6 gives the final conclusions. 
The protection provided by PPS 

PPS attempts to render unprofitable the effort required to copy protected 
software. PPS relies upon mechanisms embedded in the CPU, therefore PPS can- 
not prevent the CPU producer from making secret trapdoors in the CPU that will 
enable software duplication. PPS requires a key-producing body, which installs the 
initial keys in the CPU and enables replacement of failing CPUs, This body may be 
the CPU producer, and it is represented by Z or the center in this paper. PPS 
enables Z to distribute the keys in such a manner that prevents other bodies from 
creating valid keys. If the system's OEM is Z, this feature might help to prevent the 
creation of "clones" (compatible computers by other OEMs). 

Intuitively, PPS provides three levels of protection. The first Level is against 
simple piracy attacks. Such attacks use legal procedures and attempt to duplicate 



161 



software by some unforeseen manipulation of those procedures. The second level 
is against more determined attacks, that include the faking of a CPU failure. Due 
to obvious reasons, a new CPU, that runs all the software bought for the failing 
CPU, should be provided quickly. It is obvious that if the CPU did not really fail, 
and is not returned, the attackers will have two CPUs that run the same software. 
While this hazard should be protected against by an appropriate procedure, PPS 
ensures that no further gain may be achieved by faking a CPU failure. PPS's third 
level of protection is against attackers that physically violate the CPU's enclosure, 
and discover (literally!) the keys held within. This approach is quite extreme, but 
it has been argued that such attacks may be attempted by parties that desire to 
cause distrust in the center or in the CPU. Only when implemented by a public key 
cryptosystem, PPS provides some protection against this attack. After violating 
the integrity of the CPU, the attackers will only be able to decypher protected code 
encrypted for the violated CPU. 

A possible modification of PPS is transferring a key (execution key) instead of 
the actual program [AM84.HK84]. The program is then transferred and encyphered 
by that key. The CPU operates the program using the execution key. The security 
analysis of such a modification would not change compared to that of PPS (given in 
Section 4). As described in the references, this modification might improve greatly 
the performance of the CPU. 

1.1. PPS vs AM 

1. The influence of PPS on the architecture of the CPU is the same as the 
influence detailed in [AM84], and is not discussed here. 

2. Both methods provide sufficient protection, undisturbed backup capability, 
wide range of applicable systems, and reasonable overhead in total costs and 
execution time. 

3. PPS may be implemented either by using public-key cryptosystems or by 
using conventional cryptosystems, while AM requires public-key 



162 



cryptosystems. The implementation of public-key systems is much harder. 

4. PPS does not require communication between the software producer and the 
customer during the purchase of the software. Rather, an untrusted dealer 
may sell the software, with no need for immediate communication with the 
software producer (see Section 3.2). This communication is essential in AM, 
and may present quite an obstacle in software distribution. 

5. PPS does not require communication between the software producer and the 
system integrator before the protection of each product. This communication 
is essential in AM and presents another obstacle in software distribution. Also, 
the added transmissions may be tapped and altered, and the security is 
endangered. 

6. PPS provides a protocol that enables the replacement of a malfunctioning 
CPU by untrusted servicemen, without requiring the physical transfer of a new 
CPU from the producer. AM requires the physical transfer of a new CPU. 

7. The motives of all the parties involved in the usage of the protection 
method (CPU producers, system integrators, software producers, etc.) are 
similar in both methods. Those motives are discussed in depth in [AMB4-]. 
We will not repeat these arguments. 

8. AM allows the system's OEM (Original Equipment Manufacturer) to require a 
fee from software producers for each usage of the system to protect software. 
By a simple variant to PPS the same result may be achieved. TVe will not dis- 
cuss this here. 

2. Implementation of PPS with Public-Key Cryptosystem (PPS/PK) 

The implementation of PPS requires encrypting functions inside the CPU. The 
encryption may be done by a public-key cryptosystem (PKCS), such as [RSA78], or 
by ordinary encryption methods, such as [DES77], In this section we will describe 
the implementation by a PKCS, denoted PPS/PK. This implementation is more 
straightforward; however, since no implementation of a PKCS seems both secure 



163 

and quick, the implementation by conventional cryptosystems seem to be more 
reasonable. The concept of PKCSs has been first suggested in [DH76], and several 
implementations - as well as numerous applications - have been published since 
then[MB3]. 

A PKCS based on a set of pairs of functions \<Ei,Di>] such that 
CI. D i E i =E i D i = l 

C2. Knowing E(M) and E, but not D, does not reveal anything about M. 

C3. Knowing D(M) and M does not reveal D. 

We use E to denote the encrypting function (or key), and D or E~ l for the 
Decyphering function (or key). 

With each computer unit u, associate a pair of keys <E U ,D U >, and with Z asso- 
ciate a pair of keys, <E Z .D Z >. Every computer unit Qj contains the following infor- 
mation: 

1. D u - The decyphering (secret) key of C u 

2. E 3 - The encrypting key of Z 

3. D t E u - The encrypting key of C^, signed by Z. 

For indirect distribution via a software dealer U, another key is required in the 
dealer's computer - F u (i): 

4. Fui'i) - The software producer sells his or her software to the dealer 
with this key. Tne key is changed between sales. 

The keys D u , F u (i), and E z , are kept hidden inside the CPU itself. They may 
not be accessed by the CPU instructions, except the special instructions that 
implement PPS. The signature of Z, denoted D x , is even more secret: it is not kept 
in the CPU at alL On the contrary, E u may be used quite easily (and is not a 
secret). 

The cryptographic utilities required for PPS are only trapdoor functions. 
Actually, we only require Z7 U £^=1 for every computer u, and E Z D X = 1. 



164 



The cryptosystem may be commutative, i.e. E a E b =Et,E a . Several PKCSs have 
this property, including [RSA78], and some protocols are not secure with commut- 
ing cryptosystems. If other properties are known for the cryptosystern, analysis as 
in Section 4 should be done. 

2. 1. Direct software distribution protocol (PPS/PK) 

The protocol that a user U with computer Cu should follow in order to buy 
PPS/PK protected software from its producer P is the direct distribution protocol 
outlined below. Note that information should pass only once from the user to the 
producer and vice versa. The notation used for a user U sending a message M to 
his computer Q, or to another party B is : {U ,M,C U ) or (U.M.B) respectively. 

Dl. (U ,D Z E U ,P) - The user U sends to P the encryption key E u signed by Z. 

D2. (P ,(D z E u ,PGM),C p ) - The producer P enters the encryption key of the 
customer's computer signed by Z and the program to be distributed, PGM, 
into his computer. 

D3. {C II ,\_E t D x E. a \PGM ,P) - The encryption procedure E t is known to all com- 
puters, but hidden from the users. 

D4. (P.EuPGM , U) - The user receives the software package. 

D5. (V.Ey.PGM.Cu) - Loading the program. 

D6. { , ^ li ,0{D u E u ,PGM), U) - The computer (but not U) knows D u . While execut- 
ing, the code PGM is hidden inside the processor. The operation (run) of 
software P by a computer is 0{P). 

It is assumed that knowing O(PGM) does not enlighten the intruder about 

PGM. 

2.2. Indirect software distribution protocol (PPS/PK). 

Usually software is not sold directly from the producer to the customer, but 
rather it is sold via a third party, the software dealer. Even telephone connection 
with the producer should, in these cases, be avoided. The direct software 



165 

distribution protocol, described in Section 3.2, is not suitable here, since the pro- 
ducer may rarely rely on the honesty of all the dealers. PPS provides a special pro- 
tocol for indirect software distribution. This protocol requires one extra key hid- 
den inside the dealers' CPU. The extra key is changing in each execution of the 
protocol. This temporal key, F u (i), (of a dealer U) is assumed to be the key of a 
conventional cryptosystem (although it could be implemented with a PKCS as well). 
The protocol is divided into two phases. In the first phase, the dealer L buys token 
programs from the producer. The tokens are converted to useful programs by the 
dealer's computer, Q,, in the second phase. Each token produces no more than one 
useful program, encyphered with the key of some buyer's computer. The initial key 
Fi(0) is known only to the software producer. For example, Fi(0) may be initiated 
in Ci by the producer before the computer Ci is given to the dealer. 

The distribution protocol is outlined below. The first phase U is done for each 
token i to be used. Note that information should pass only once in each direction. 

11. (P ,Fi{i){PGM ,F t (i+l)].L) - The producer P gives the dealer L a token i. 
This is the first phase of the protocol, and it may be done independently of 
the other phases. 

12. (U,D z Eu.L) - The user U sends his key to the dealer. 

13. (L.iFiii^PGM.Fiii + l)], D Z £^),C L ) - The computer C L now contains key A 
that corresponds to token i. 

14. (C L ,E U PGM,L) - In the same time, C L changes from key F t (i) to the new key 
Fj(i+l). The new key that is given in the token! 

15. (L,E U PGM ,U) - From this step on, the protocol is the same as the direct 
distribution protocol. The user receives the software package. 

16. (U.EuPGM.Cu) - Loading the program. 

IT. {Cu,0{D u E u PGM), U) - The computer £^ (but not U) knows D u . While execut- 
ing, the code PGM is hidden inside the processor. Several F t (i) mechan- 
isms may be implemented in the same processor. Also, processors dedi- 
cated to users need not have Fi(i) at all. 



166 



2.3. The replacement protocol (PPS/PK). 

If the CPU of a user malfunctions, a new CPU must be provided. An essential 
property of the new CPU is being completely compatible: every software run on 
the old CPU should also run on the new one. To enable the new CPU to run PPS/PK 
protected software, it must have the same keys as the old one. A similar 
requirement ensues from upgrades to the CPU, when CPU replacement is required. 

The new CPU must be made available as soon as possible. It should be possi- 
ble for several service centers to make available a CPU to replace any malfunc- 
tioning CPU in their territory. Obviously one cannot permit such service centers to 
produce CPUs and determine their keys at will. We present a solution in which 
deceptions are likely to be discovered or prevented, and even if deception is com- 
mitted by the service center, no more than one illegal CPU will be obtained. Those 
results are formally proved in Section 4.3. 

The solution we suggest to this problem requires the remote help of Z. How- 
ever, this help is only remote (by communication), and does not require physical 
interaction with Z, as in [AM 84]. The protection will not fail even if the communica- 
tion is tapped or altered. 

Every CPU replacement will require Z's intervention. After the CPU has been 
replaced, Z must verify that a replacement has in fact taken place (for example, by 
receiving the malfunctioning CPU and verify it's identity). The service center S 
uses the remote help of Z to convert a spare computer Q (with keys E s and D t ) 
into a replacement for C^. After the successful completion of the protocol, C, 
will have keys E u and Z? u . The replacement protocol is outlined below. 

Rl. (U,D Z E U ,S) - User U requires replacement CPU from S. 

R2. (5 \{D t E u ,D t E s ),Z) - The Serviceperson asks Z for a transformation key that 
will change the key of the spare CPU C t from E, ,D S to f^.Ai- 

R3. (Z ,E,{D u \Tvplace),S) - By the creation tables, Z finds for Eu the 
corresponding D^. Then Z encrypts D u - concatenated with a predefined 
string - by E, . and sends it to S. 



167 

R4. (S ,E,(D u rreplace),C e ) - Installation of new key in C,. The key D u will be 
installed only if it is concatenated with the correct string. The public key 
D^E^u is installed too. 

R5. The CPUs may be replaced. The replaced CPU ought to be returned to Z 
and its number verified. 

3. A Formal Analysis of FPS/PK 

The presentation of any nontrivial security protocol or system would not be 
complete without a formal representation of the assumptions and formal proof of 
security. Therefore, we prove that, under acceptable assumptions, PPS/PK is 
secure. This is done using the Transaction System Model [HP85]. We proceed by 
describing the essence of the model and the correspondence between the model 
and PPS/PK. The model as described below is a simplified version of the transac- 
tion model for systems in which the timing is irrelevant to the security. Merritt 
[MB3] also presented a formal model for analyzing the security of protocols. 

The formalization of cryptographic protocols enables a precise inspection of 
the arguments of security. In the case of PPS, the reader is encouraged to inspect 
if the formal model is truly derived from the assumptions and protocols, and if the 
proofs of the security of the model are valid. 

3.1. The essence of the Transaction Model. 

A Transaction System (TS) is a partial algebra, defined by a domain and a set 
of relations on that domain. The domain of a TS is considered as the set of all 
the possible states of some information system A state is defined by a set of vari- 
ables. One of the variables is the set of all the messages transmitted so far. The set 
of messages transmitted is known to the attackers, since they have complete con- 
trol over the communication lines. A state S is a set of values of all the variables. 
The relations on the domain represent the possible inferences available for the 
attacker. The relations are grouped into meaningful sets, called Transactions . 



168 



Each transaction is a set of ordered pairs of states. A 
Transaction System. TS=(T,S) is defined by a set of transactions T on a set of 
states S. 

The definition of a TS does not yet ensure that the TS represents the real world 
correctly. A TS would be correct if all the possible inferences for the attacker 
from a given state, and no impossible inferences, may be obtained by executions of 
transactions from that state. For example, inferences include the innocent activi- 
ties of other participants, usage of properities of functions used, etc. 

A pair of states (S it S i¥1 ) of a TS is an ordered pair, with 5 t termed Tail and 
5 i+1 termed Head, if is the result of applying some transaction of TS on S^. A 
sequence of states Sq,Si,... is a history, starting from Sq, if for all i>0,(S'i,S' i+1 ) is 
an ordered pair. The length of a history is the number of states in the sequence. A 
state Si is i— reachable from state So if there exists a history H of length i+1 which 
starts at So an< i ends at 5^, and no shorter history exists from So to Si. If there 
exists an i such that state 5^ is i-reachable from state S 0 , then 5 t is reachable 
from S 0 . If a state is not reachable from state Sj, we say that Sj is harmless for 
S*. A set of states is reachable if any of the states in the set is reachable. Simi- 
larly, we define the harmless property for a set of states. 

We state without proof some elementary and intuitive results. The proofs are 
simple, and are given in [HP85]. 

Lemma 4.1 proves the transitivity of the reachability property. 
Lemma 3.1. If a state S t is i-reachable from Sq, then every state Sj, j- 
reachable from S t , is Q+i-1 Reachable from Sq. 

Theorem 4.1 proves that the results obtained will hold for more restricted 
cryptosystems, for example - without commutativity between cryptographic 
operators. 

Theorem 3.2. Let S be a set of states harmless for a set of states D, in TS, 
then in every TS' s.t. Transactions (TS')QTransactioTis(TS), state Sis harmless 
forD, 



169 

3.2. PPS/PK as a TS. 

The protocols detailed in Section 3 for PPS/PK execution correspond to the 
following TS called PPS/PK, under the assumptions listed below: 

A. Information hidden inside a processor cannot be read. 

B. Resurrecting the software by observing the ports outside the CPU is infeasi- 
ble. 

C. The cryptosystems used are secure. The security requirements have been 
detailed in Section 3. 

D. The producer verifies faultlessly the identity of the user that sent the 
payment, and always delivers the software. The payment could have been 
implemented in the protocol, but it seemed unnecessary. 

E. No information leaks from Z (except by the replacement protocol). 

F. All the keys are cryptographically independent - no key may be obtained 
by known manipulations of other keys. The notion of cryptographic 
independence is formally defined in [HP85]. 

For proving the safety of PPS/PK we need consider only one producer of 
software, P. All the attackers may, however, use the protocol as if they are pro- 
ducers Tor the analysis, assume that all the users are attackers (since the attack- 
ers can impose as honest users). The variables of PPS/PK are: X is the total 
expenses of the attackers, for every user u, K u is the decyphering key of his com- 
puter Ci,. Initially contains D u . During a CPU exchange, a K key of a spare 
computer is changed to the D key of the failing computer. For every dealer L, Qi 
has the same rule as the K key for the the temporal key Fi(i). The set M of all the 
messages transmitted so far, which corresponds to the information held by the 
attackers. 

The only source of information in PPS is the defined transactions. Therefore if 
PPS is in any given state, then that state is reachable from some initial state in 
which no messages were sent. The transactions of PPS/PK for computers and 
are listed in Table 1. In the table, P denotes a program to be sold by some 



170 



software producer for the sum of money - cost (by T12, T13 and T14). An applica- 
tion of operator a on string b is denoted a(6). We omitted the brackets where 
there was no danger of confusion. 

The TS model is a worst case analysis of the system. Therefore, data and keys 
are interchangeable (a key may be used as data and vice versa). Also, knowing the 
key of a cryptofunction is equivalent to knowing that cryptofunction. Therefore any 
string or key may be 'applied' to any string or key. This application may be done 
implicitly in some of the transactions, or directly by the attacker (by T7). When a 
transaction is explicitly used in one of the protocols, we note the step in the proto- 
col. For example, T9 is used in D5 (step D5 of the distribution protocol). 

The transactions basically represent the capabilities of the attackers. If an 
attacker manages to use some transaction with proper input, the table shows the 
output and the change in the system. The results of a transaction are added mes- 
sages ("output") or a change for the variables X, Q or K In the table, before any 
transaction is used, assume Ku~D u and Qu-F u {i-). 

Some of the transactions will not be available in certain implementations. For 
example, the transactions that present the commutativity of the PKCS will not be 
present with a non-commuting PKCS. But, from Theorem 4.1 the security proper- 
ties that were proved, hold as well without those transactions. Transaction T18, 
physically violating the CPU integrity, would not be considered part of PPS/PK The 
TS that includes all the transactions, including T18, denoted as PPS/PKV. would be 
referred to only in the last theorem. 

Notes: see the description of PPS and verify that all the steps in the protocols 
are performed by those transactions. We do not differentiate between operators 
and strings. When a string should be used as an operator, we use it as a key for the 
cryptographic operator. 

A special kind of attack may be performed by an attacker which is also servi- 
ceperson. Such an attacker might accepts replacement for a CPU from Z without 
returning the original CPU. This attack causes expanses to the attacker (including 



171 

risk); those expense are by denoted R. Theorem 4.6 shows that after using T17. 
there is no way to get more then two CPUs that use the same key (that originally 
belonged only to one of them). This ensures also that if the CPU have been replaced 
properly, the attackers will have only one CPU with the old key, and therefore with 
no gain. 

Another extreme attack is physically violating the enclosure of the CPU, to 
find the keys hidden within (TIB). The expense of this attack is denoted by V. 
Theorem 4.8 shows that when PPS is implemented by PKCS, even if T18 is used, the 
attacker must still use T12 with E z (£"„), where it is the identity of the attacker's 
computer, to obtain the uncyphered program P. This result enables enforcement of 
auditing means against such attacks. 

3.3. Proofs of PPS/PK security. 

The next lemma shows that no attacker can forge the signature of Z. The dis- 
cussion in this section refers always to PPS/PK, except where stated otherwise. 

Lehha 3.3. // S-(U,X,K) is reachable from S 0 =(mdl ,X a ,K 0 ), where D t a£.M, 
then there exists computer Q, and b such that a=E u b . 

Proof. Only T10 produces a message that includes D t , therefore D x Eu must 
have been manipulated to produce D„a. To remove E u only T9 or Tl can be used. 
But the only result of T9 is operated by 0 and there is no transaction that removes 
0. The use of Tl to remove requires an input string that includes D u but not 
£„. But no transaction produces such a string. Therefore D s a cannot be produced 
unless a=E u b . ■ 

Theorem 4.4 shows that the attacker cannot reproduce the decyphered code 
P, given the encrypted program by T12 or T13. The producer's computer uses E z 
on the input string x sent by the user, to produce the encryption for the program 
P. Thi3 is given by [E g x~\P for any string x. Reproducing the encrypted program 
implies PcM . 



172 

Theorem 3.4 // S l = (M l ,X.K) is a harmless state for W=W a uW b . -where 
W 9 =[(M,X,K)\P&H] and W b = \{M.X,K) \ 3 D u such that : e# j. then 
S 2 =(M l v[E x x]P,X,K) is harmless for W. 

Proof. By contradiction, assume "ff is reachable from S2- Since Si is harmless 
for ¥, then m z =[.£' I x].P has been used to reach W. The only transaction, when D u is 
unreachable, that removes E x is T10, where x=D M Eu. Therefore it remains to show 
that 5s=(Jt/ iVE u P,X.K) is harmless for W. However, there is no transaction that 
removes E u when D u is unreachable. Thus, both W a and are unreachable, since 
both require the removal of E u and D x . ■ 

We have shown the original code cannot be obtained. Now we prove that the 
code cannot be 'adjusted' to another computer, i.e. no manipulation to the 
encrypted code produces code encrypted by a key of a different CPU. The idea of 
the theorem is that if an attacker can't get a program without paying, then he 
can't get two programs without paying twice the price of the program. 

Theorem 3.5. // S^\(H, Y,K) \ Y<cost J is a harmless state for some set of 
stales [/j defined below, then it is also harmless for U z . Where: 
U l =\{M,X.K)\{X<cost)&{E u P^M)&(K i =D xl *Tvull)] and U Z =\(M,X.K)\ 
{{X<min (2'cost ,R ))&(E u P,E w Pe:M)&{j *i )(/T t =D U *null)(Kj =D w *null)] 

Proof. If EvPeM, T12 or T13 must have been used. By Theorem 4.4. P is 
not in M. If T13 have been used to reach E U P€.M from S, then T14 must have been 
used before since it is the only transaction that produces .F u (i)[-P..F«(i+l)3- But if 
T14 occurred, it must have been in a history reachable from S, since Y<cast . In 
order to prove that U 2 is not reachable from S, we notice that T12 and T14 cannot 
be used twice. Also, from the arguments above, T13 cannot be used again. There- 
fore E W P cannot be produced by T1Z or T13, and since no transaction that 
removes E v it remains to show that no two computers can have the same key. 
That is for every two computers i,j where i±j, Ki=Kj-Di^null . In order to get a 
second key transactions T17 or T16 must be used. Since X<R in U 2 . only T16 can 
be used, but the application of T16 change to nulL • 



173 

If the deciphered code is unreachable, as we showed in Theorem 4.4, and we 
cannot encrypt the code for another CPU, according to Theorem 4.5. there still 
remains an alternative: to generate several computers with the same keys. Then 
the attacker shall have to pay only tor one copy, and actually obtain several copies. 

This attack cannot be prevented completely, since we must permit replace- 
ment of CPUs (see Section 3.3). Indeed the same problem exists in the other 
software protection methods, and the solutions available are usually rather unsa- 
tisfactory [HK84]. 

It is now proved that all the CPUs with the same keys, except one, should be 
returned to Z. Therefore the effect of these attacks is minimal. Given two com- 
puters with different keys, T17 must be used in order to make the keys of both 
computers equal and meaningful. Meaningful keys are keys that decypher pro- 
grams distributed by T12 Dr T13. 

Theorem 3.8. Let S D =(M 0 ,X D ,K 0 ) be a state such that M 0 =tf> and X 0 -0 and all 
the keys are crypto graphically independent. Then S is harmless, for 
U={ (M,X,K) I (j *i ){Ki=Kj=a. - l *null )&{D,a^M)&X<R\. 

Proof. Since X<Ji in U, T17 cannot be used. The only transaction that 
changes keys is T15; but in order to use it, T16 must be employed. But if T16 has 
been used to produce E vt (D w \replace), where Ai=2? u and K^D^, before T16, then 
Kj^null after T16, and since T15 may be used only for Q, S is still harmless for U. 
■ 

We state somewhat unformally and without proof the following theorem, which 
finds the expenses of the attacker for obtaining n computers with identical keys. 

Theorem 3.7. If S is harmless far U^\{M.X.K)\{X<R)&{i*j){K i =K j *null)\ 
then it is harmless for W = [(M ,X.K)\(X<R*lag z (q))&(\I |=g)*((i.J £/)=> 

The next result is, perhaps, of minor importance . We prove that even if T18 
is used, and all the keys in a CPU are revealed, the attackers cannot forge the sig- 
nature of Z. Thus the attackers still have to order software by sending the correct 



174 



public key. This result holds only when PPS is implemented using PKCS. We denote 
PPS/PKV to be PPS/PK with the addition of T18. Let V be the price for violating the 
integrity of the CPU. 

Theorem 3.8. In PPS/PKV, if S is harmless for 
U 1 =ttM,X,K)\(D t a<zM)&(X<V)] then it is harmless for U Z -\{M ,X,K)\{D a a^M)\. 

Proof. There is no transaction .including TIB, that performs D g on a given 
string. • 

4. PPS Implemented with Conventional Cryptosystem. 

Implementing PPS by PKCS is quite natural, but also quite difficult. No chip 
available performs a PKCS, and the security of PKCS is still in doubt. Conventional 
cryptosystems are more mature. Several methods have been implemented in 
integrated circuits and are considered quite secure. Most known is [DES77]. 

The implementation of PPS by a conventional cryptosystem is based on emu- 
lating the required properties of PKCS by adding redundant information. Two 
features of PKCS are used in PPS: 

1) Signatures - used to ensure that keys are not invented. 

Z) Secrecy - the program is encrypted by the distributor, yet he cannot decy- 
pher programs encrypted by other distributors. 

4.1. PPS/C. 

When using conventional cryptosystems, the signatures implemented with 
PKCS before, are now implemented by the processors. Each processor con- 
tains three hidden keys: 

1) Kg - The key of Z 

2) K u - Computer's key 

3) -^u(^) - Temporal key for indirect software distribution 



175 



The emulation is performed by implementing E x% D M with conventional keys 
and the protocols are given in the following sections. Section 5.5 contains the 
corresponding transactions, which forms a TS denoted by PPS/C. 

We assume the cryptosystems are secure , i.e. an attacker cannot determine 
m from K a (m), without knowing K^. It is also impossible to find from m and 
A^(m). Most cryptosystems are presumed to be secure in this manner. Note that 
we permit the encryption to be commutative, i.e. K a K b {a)=K l) A^(a). 

4.2. Direct software distribution protocol (PPS/C). 

The following is the protocol for direct distribution of software, from producer 
P to the user U. The words hey, prog and replace are predefined strings used in 
the protocol. It is implicit that, whenever possible, honest participants in the pro- 
tocol check for those strings in the input. 

Dl. (U,Kx(K u ;key),P) - The user sends key signed and hidden by K z . 

D2. (P,K 9 (K u ;key).PGM),C p ) - The producer enters both users' key and pro- 
gram into his computer... 
D3. (C p ,K u {PGM;prag),P) - The encrypted program is given to the producer. 

D4. (P ,K u {PGlil;pmg),U) - The producer transfers the encrypted program to 
the user. 

D5. (U .KniPGii .prog),^) - The user gives his computer the encrypted pro- 
gram. 

Do. (C^.OiPGM), U) - Th computer executes the program. 

4.3. Indirect software distribution protocol (PPS/C). 

The following is the protocol for indirect distribution of software, from pro- 
ducer P to a user U via a dealer L. 

II. (P,F v {i)[PGM.F u (i+l)],L) - Producer P sells token i to dealer L. This 
step may be done (for several tokens) before the other steps of the 



176 

protocol. 

12. (U.K„(K u ;key),L) - User U sends his public key to the dealer. 

13. (L,{KAKu*ey).F u (i)[PGI/.F u (i+l)]),C t )-The dealeruses tokeni. 

14. (C t ,K u (PGM;prog),L) - The encrypted program is given to the dealer. In 
the same time. C t changes from F u (i) to J<^(i +1). 

15. (i ,K u (PGIi :prog ), U) - From this step - same as direct distribution. 

16. ( U, Ku (PGM ;pr og ),C U ) - The user enters the program into his computer. 

17. (Cu.O^PGH), U) - The computer executes the program. 

4.4. CPU replacement protocol (PPS/C) 

The following protocol in PPS/C is for the replacement of a users' CPU. The 
serviceperson S replaces Q with C s . by the help of Z. 

Rl. (U,K t (K v ;key).S) - User U sends his key to S. 

R2. (S ,(fC t (K u ;key),K x (K s ;key)),Z) -The serviceperson sends both keys to Z. 

R3. (Z^iKu.replace ),S) - Note that Z. in PPS/C. does not have to keep track 
of the keys. 

R4, (S.Ks (Ku .replace ),£) - New keys installation. 

R5. The CPUs are replaced. The replaced CPU ought to be returned to Z. 

4.5. PPS/C as a TS 

The transactions of PPS/C are listed in Table 2 for computers and C^,. The 
variables of PPS/C are: X is the total expenses of the attackers, for every user «, 
Ku is the key of his computer C^. For every dealer L, ft is the temporal key F t (i). 
The set M of all the messages transmitted so far, which corresponds to the informa- 
tion held by the attackers. 

Theorems 4.3-4.B may be proved for PPS/C, but since they are simple and 
similar to the proofs for PPS/PK, we will not give them here. 



177 



5. Conclusion 

The problem of software piracy causes considerable losses to software pro- 
ducers. The scheme presented - PPS - provides proved, reliable protection, and 
convenient protocols for distribution of software and replacement of CPUs. PPS 
requires implementation of cryptographic capabilities - public key or conventional 
key - inside the CPU. This is a challenge for all CPU manufacturers ! 

We believe that by using suitable protection methods software piracy could be 
rendered obsolete. Such a step will be to the benefit of all the parties involved 
(well, almost ...). 

6. Acknowledgments 

We thank Mr. Gadi Karmi for his proofreading. 

7. References: 

[AM84] D.J. Albert and S.P. Morse, "Combating Software Piracy by Encryption 
and Key Management", Computer April 1984 

[DES77] National Bureau of Standard, "Data Encryption Standard", Federal Infor- 
mation Processing Standard Publication 46, January 1977 

[DH76] W, Diffie and M. Hellman, "New Directions in Cryptography", IEEE Tran- 
sactions on Information Theory, Vol. IT-2B, 1976 

[HK84] A. Herzberg and G. Karmi, "On Software Protection" Proc. Fourth JCIT, 
Jerusalem. Israel April 1984 

[HP85] A. Herzberg and S. Pinter, ""1136 Transaction System Model and Security 
Engineering", in preparation 

[M83] M.J. Merritt, "Cryptographic Protocols", GIT-ICS-83/06, doctoral disser- 
tation, The Georgia Institute of Technology, 1983. 

[RSA78] RL Rivest, A. Shamir and L. Adleman, "A Method for Obtaining Digital Sig- 
natures andPKCs", Comm.. ACM, Vol 21, No. 2 (Feb. 1978). 



178 



Table 1: Transactions of PPS/PK. 



T# 


Input 


Output 


Change 


Steps 


Tl 


D v E u a 




a 


- 


D3 


T2 


E u D u a 


a 


- 


- 


T3 


E U D U a. 


D vl E v a 


- 


- 


T4 


E U E W a 


E w E u a 


- 


- 


T5 


DuDu, a 


D w D u b 


- 


- 


T6 


D U E W a 


E V) D u a 


- 


- 


17 


a,b 


a(b) 


- 


- 


TB 


a 


0(a) 


- 


- 


T9 


E^a 


0(a) 


- 


D5.17 


T10 


- 


D,E U 


- 


Dl 


Tl 1 


D z a,b 


a(b) 


- 


D2.D3 


T12 


D z a 


a(P) 


X=X+cost 


D2.D3 


T13 




a(P) 


Qu=F u (i+l) 


13.14 


T14 


- 


F v (i)[P.F u (i + l)] 


X=X+cost 


11 


T15 


E u (a\repLace ) 




Ku = a 


R4 


T16 


D 9 E u ,D l E vt 


E u (D w ;replace) 




R4.R5 


T17 


DxE^.DfE^, 


E u (D w ;replace) 


X=X+R 




T18 






Dv>Ez,Qu 


X=X+V 





179 



TABLE 2: : TRANSACTIONS OF PPS/C 



T# 


Input 


Output 


Change 


Steps 


Tl 




a 






T2 










T3 


a.b 


ab" 






T4 


a 


C(a} 






T5 


Ku (a jrrog ) 


0(a) 




D5.I7 


T6 




K n (K^-My) 




Dl.Rl.R2J2 


17 


K x (a,key),b 


a(b-.prog) 


- 


D3 


TB 


Kg (a, key) 


a(P.prog) 


X=X+cost 




T9 




a(F,prog) 




13.14- 


T10 j - 




X-X-^ccst 


11 


Til j ^(a.repiaca) 




/T u =a 


R4 


T12 




K v .{K, JI ,rsplac2 ) 


K w =7vuZi 


R4.R5 


T13 


K M (K lt :kuy).K M (K m ,kvy) 


K^iK^, replace) 


X=X+R 





Fingerprinting Long Forgiving Messages 

G. R. Blakley 
C. Meadows* 
G. B. Purdy 
Department of Mathematics 
Texas A&M University 
College Station, Texas 77843-3368 

In his 1983 paper, Neal Wagner 1 defines a perfect fingerprint to be 
an identifying fingerprint added to an object in such a way that any 
alteration to it that makes the fingerprint unrecognizable will also 
make the object unusable. A perfect fingerprinting scheme for binary 
data would seem difficult to devise, since it would be possible to dis- 
cover the fingerprints by comparing different fingerprinted copies of the 
same piece of data. In this paper we discuss a fingerprinting scheme 
which, although it does not surmount this problem entirely, at least 
specifies the number of copies an opponent must obtain in order to 
erase the fingerprints. 

The fingerprints involved will be rather lengthy, so we will restrict 
ourselves to what we will call long forgiving messages. A forgiving 
message is one which is still readily understandable and not jarring 
when up to 0.1% of it has been altered. Examples are voice and televi- 
sion. People can speak comfortably amid the noise of a cafeteria and 
can enjoy watching a television show with several pixels per frame 
altered. The idea in each case is that the support of the noise (the set 
outside which the additive noise must vanish) must have small 

•Now at Computer Science and Systems Branch, Naval Research Laboratory. Washington, D. C. 20375. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 180-189, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



181 



measure. We must also require that our messages not be too forgiving, 
since otherwise it would be possible to erase the fingerprints by adding 
random noise and still have a usable message. 

Let P be a long forgiving message (for example, a digital TV show). 
We wish to protect P from piracy by adding a different fingerprint F to 
each copy of P in such a way that a pirate who wishes to copy P+F 
and distribute it illicitly cannot erase the information about the origin 
of P contained in F unless he has obtained a certain predetermined 
number of different copies. We will define a d out of n fingerprint 
scheme to be one in which n objects are fingerprinted, and in which the 
pirate must obtain d copies in order to erase the fingerprint from one 
copy. A fingerprint F must also obey the following constraints: If we 
think of the M-tuples P and F as functions from the set {1,2,...,M} to 
Z 2 then 

[a] Supp(F), the subset of {1,2,...,M} outside of which F vanishes, must 
be small enough so that F does not interfere with the viewability of 
the program. 

[b] Supp(F) must be large enough so that F cannot be eradicated by 
random noise without affecting the usability of the message. 

We construct the n fingerprints, b\ through F, n in the following 
manner. Fix an integer k. For each subset A of {1,2, ...,n} of cardinal- 
ity <k, choose a subset S(A) of {1,2, ...,M} such that 
A^B =*S(A)nS(B) = 4>. Then let 

Fi = £ x(S(A)) 
ieA 

where % denotes the characteristic function. Note that n must be equal 
to 



182 



S (?) 

j = l J 

and so k must be relatively small. 

Suppose that the pirate has obtained copies 1 through / , with 
fingerprints F x through F ; , and that he wants to erase the fingerprint 
from P -f F x by adding some function E to it so that the origin of 
P + F t + E is not ascertainable by the owner. (We use the word 
owner to mean the owner of the pristine copy.) Ideally, of course, he 
would like E to be F v but if not, at least he would like E to be the 
sum of some x(S(A))s such that 1 e A and some x(S(A))s such that 
1 ->e A (where -> denotes the logical not). The former will serve to can- 
cel out various components of Fj, and the latter will serve to give the 
owner misleading information about the origins of the other copies that 
the pirate has obtained. Of course, the pirate would prefer, in order to 
give the most misleading information possible, to add on characteristic 
functions of sets S(A)) such that AnX = 4>, Since he has absolutely no 
way of finding out such an S(A) (except by obtaining more copies), he 
is reduced to adding on some random function R if he wishes to do 
this. However, the support of R must be relatively small in order not 
to interfere with the usability of the message. It follows that the pro- 
bability that the intersection of Supp(R) and any S(A) will be large 
enough to mislead the owner is small, and therefore that the addition 
of a random function will not be useful in hiding information. 

Thus the pirate's best options are either to add on various x(S(A))s 
that he knows or to add on functions whose supports are randomly 
chosen subsets of the S(A)s. However, he usually cannot find out the 
various S(A)s directly. What he can find are the sets at which the 
copies he possesses differ from each other. In particular, for each sub- 
set A of X = {1,2,...,/} of cardinality #(A) < 1/2, he can compute 
the set B(A)= 



183 



{xeY | (P + F;)(x) = (P + Fj)(x) < = > i, j e A or i, j - e A}. 

(There is no point in computing B(A) for #(A) > 1/2, since B(A) = 
B(X-A).) For example, B({1}) is the set of all points at which P + F 1 
differs from all other of the P + F;S. An element x would either be in 
B({1}) because x e Supp(F 1 ) and x -ie Supp(F 2 ) through Supp(Fj), or 
because x ->e Supp(F 1 ) but x e Supp(F 1 ) through Supp(F ; ). Similarly, 
B({1,2}) is the set of all points at which P + F a and P + F 2 agree with 
each other but differ from the rest of the F ; s, and so on. Thus, if 
If A, adding on x(B(A)) to P + F : is the same as changing P + F x at 
all points at which it agrees with the copies in A and disagrees with the 
copies not in A. For example, adding x(B({l,2})) to P + F x is the 
same as changing P + F x at all points at which it agrees with P + F 2 
and disagrees with all the other copies the pirate possesses. 

Lemma 1. If#(A) < I - k, then 

B{A) = \j{S{C)\#{C)<k and Cf)X=A} 

and if #(A) > / - k, then 

B{A) = \J{S(C) | # {C)<k and [CnX — A or C nX = X-A]} 

where [j{X \ Y} denotes the union of all sets X with property Y. 

Proof. Suppose x e B(A). Then all the P+F ; s such that i e A agree 
at x and disagree at x with all the P+Fjs such that j e X-A. Thus 
either 

x e p|{Supp(Fi) | i e A} = (j{S(C) | #(C)<k and CnX = A} 

or 

x e p|{Supp(Fj) | i e X-A} 

= J{S(C) I #(C)<k and CnX = X-A}. 

Conversely, if x is in either of these sets, then all the P+F ; s agree at x 
and disagree with all the P+F:S such that j e X-A, and so x e B(A). 



184 



Thus the second part of the lemma follows. However, if #(A) > /-k, 
then #(X-A) > k, and thus there is no C of cardinality < k such that 
CflX = X-A. Thus the first part of the lemma follows. QED. 

The following corollary tells us that if the number of copies the 
pirate possesses is large enough, then he has enough information to 
erase the fingerprints entirely. 
Corollary 2. If I > 2k, then 

[j{B(A)\leA} = Supp(F 1 ). 

Proof. If 1 > 2k, then #(A) < 1 - k for all subsets A of X = 
{1,2,...,!} of cardinality < 1/2. It follows from Lemma 1 that 

B(A) = U(S(C) | #(C) < k and CnX = A}. 

We thus have 

(j{B(A) | 1 e A and ACX} = 

y{S(C) | 1 e C and #(C) < k} = Supp(F 1 ). 

QED. 

Thus in the case I > 2k, the pirate can determine F : and add it to 
P + F x in order to obtain a pristine copy P. 

Suppose that / < 2k. We will show that in this case the pirate 
who seeks to obtain a pristine copy of P by adding on various x(B(A)s 
not only cannot mislead the owner but risks giving him even more 
information then before. 

Lemma 3. Let E = F 1 + Q where Supp(Q) is the union of some set 
of B(A)s. Suppose that there exists a t such that no S(A) where 
#(A ) < t appears in Supp(E). If some S(A) such that #(A) = t + 1 
appears in Supp(E) ; then ACX 

Proof. Suppose that A X. Then #(AnX) < t and so S(AnX) 
does not appear in Supp(E) by hypothesis. By Lemma 1, we have 
S(A)CB(AnX) and S(A)nB(C) = 4> for any other C C X. Therefore 



185 



B(AflX) appears in Supp(E). We thus have only two possibilities. 
Either 1 e A and B(AnX) does not appear in Supp(Q), or 1 ->e A and 
B(AnX) does appear in Supp(Q). In either case we have 
S(AnX)CSupp(E), contradicting our assumption that no S(C) where 
#(C) < t appears in Supp(E). QED. 

Lemma 4. Suppose that I < 2k. Then the pirate who attempts to 
erase information about the origin of P + F 1 by adding to it various 
x(B(A))s must add on all x(B(A)) such that 1 e A and #(A ) < [I /2] . 

Proof. The proof is by induction on the size of A. First, suppose 
that A = {1}. The pirate must add x(B{l}) to P + For he must 
remove x(S{l}) from P + F 1 , since, if it were left in, the fact that 
S({1}) is contained in Supp(F 1 ) but in no other Supp(Fj) would tell the 
owner that that the pirate had had access to copy 1. But, since S({1}) 
is contained in B({1}) and no other B(A), the pirate has no way of 
knowing which elements of B({1}) are in S({1}) and which aren't. 
Thus the only way the pirate can remove S({1}) is by adding 
X(B({1})). 

Next, assume that the pirate has added on all x(B(A)) for all A 
such that 1 e A and #(A) < t, for some t < [J/2]. Let E = F 1 + Q, 
where Q is the function that the pirate has added on. We will show 
that the support of E contains no S(A) such that #(A) < t. Clearly, 
the pirate has erased all x(S(A)) such that 1 e A C X and #(A) < t. 
Moreover, he has not added on any x(S(C)) such that #(C) < t. For 
by Lemma 1 the only way he could have done this would be if XnC = 
X-A, where A is one of the sets of cardinality < t such that x(B(A)) 
was added on. But this would imply that #(X-A) < t, and hence / = 
#(X) < 2t, which contradicts our assumption that t < [I /2). 

The owner can now conclude from Lemma 3 that if x(S(A)) appears 
in the support of E, and #(A) = t + 1, then A C X. Moreover, such 
sets A exist, since t + 1 < [1/2] and 1 < 2k. Now all he has to do is 



186 



take the union of all A such that #(A) = t + 1 and x(S(A)) appears in 
the support of E in order to find out which copies the pirate had access 
to. 

Thus the pirate must do something further if he wants to hide the 
origin of his copy. He has two options. First, he can add on various 
x(B(A)) where 1 e A. But he can't add on any x(B({a})), or the owner 
will be able to tell, by the appearance of S({a}) in the support of E, 
that the pirate had access to copy a. However, if he doesn't add on 
any x(B({a})), there is some q < [1/2] such that no S(A) such that 
#(A) < q appears in the support E but some S(A) such that #(A) = q 
does appear. The owner can then use Lemma 3 as before to find the 
other copies the pirate had access to. 

The pirate's other option is to add on some or all of the x(B(A))s 
such that #(A) — t + 1 in order to erase some or all of such x(S(A))s 
appearing in F v But he must erase all such x(S(A))s since if there was 
even one that he did not erase, the owner would again be able to con- 
clude, using Lemma 3, that the pirate had had access to every copy a 
such that a e A. QED. 

Theorem 5. Suppose that I < 2k. Then a pirate cannot erase infor- 
mation about the origin of P + F x by adding various x(B(AJ)s without 
revealing information about the origins of the other copies he has access 
to. 

Proof. By Lemma 4 the pirate must add on all x(B(A)) such that 
1 e A and#(A) <[l/2]. It follows from Lemma 1 and the fact that 
1 < 2k that he has also added on all x(S(X - A)) such that 1 e A C X 
and #(A) = [I /2]. In other words, he has added on all x(S(A)) such 
that 1 e A C X and #(A) = 1 -[1/2]. Once again the owner can tell, 
from the absence of any x(S(A)) such that #(A) < 1 - [1/2], that the 
owner has eliminated all such x(S(A)). Moreover, once again the owner 
can use Lemma 3 to can reason that, if any x(S(A)) such that 



187 



#(A) = 1 - [1/2] appears in the altered function, then A C X. The 
owner takes the union of all such A to find X - {1}. QED. 

Thus if 2k > 1, the pirate cannot erase information a.bout the ori- 
gin of P + F x by adding various x(B(A))s to it without giving away 
information about the other copies he's obtained. But what if he adds 
on some x(D) where D is a randomly chosen subset of some B(A)? If 
the pirate were lucky, such a D might contain all or most of the sets 
S(C) such that CflX = A and none or few of the sets S(C) such that 
CflX = X-A. This can be made less likely by choosing the sets S(C) 
large enough so that the chance that such a D would either miss any 
S(C) entirely (if D is large) or contain an entire S(C) (if D is small) or 
miss some S(C)s and contain others, (if D is medium-sized) is negligible. 

We are thus led to conclude that the fingerprint scheme described 
above is a 2k + 1 out of n fingerprint scheme. 

The construction of such a fingerprint scheme now seems easy. We 
simply choose the level of protection we desire and construct the 
appropriate sets S(A). We are faced with one problem, however: the 
size of the fingerprints grows exponentially with the level of protection 
desired. As a matter of fact, since each fingerprint F; is made up of all 
S(A) such that #(A) < k and i e A, we have, if #(S(A)) = s for each 
such A, that 

#(Supp(F0) = s^ 1 (Y) 
j=l 

where M is the total number of messages. Thus the size of the finger- 
prints could easily grow to the point at which they start interfering 
with the messages. 

We can get around the problem of exponential growth somewhat by 
using several less ambitious fingerprint schemes concurrently. For 
example, suppose that an owner wishes to protect about 27,000 copies 
of his message. If he used a 31 out of 27,000 fingerprint scheme, each 



188 



fingerprint would take up more than slO bits. However, suppose that 
he constructs three 31 out of 31 fingerprint schemes {F x , . . . , F 31 }, 
{G x , - • • , G 31 }, and {H 1; . . . , H 31 }. Each of these three fingerprint 
schemes takes up 

j=l J 

bits per fingerprint. Such fingerprint schemes will still take up a rela- 
tively small amount of space in something as large as a digital TV 
show. (If this number is still considered unmanageably large, the 
owner could instead construct, say, three 13 out of 31 fingerprint 
schemes, each of which would take up about s200,000 bits per finger- 
print, as opposed to a 13 out of 27,000 fingerprint scheme, which would 
take up about 10 20 bits per fingerprint.) The owner divides his distribu- 
tion area into 31 geographic areas, each with 31 outlets selling 31 
copies each. The ith copy in the jth outlet in the kth geographic area 
is fingerprinted by F ; + Gj + H k . Thus if a pirate obtains all his copies 
from one outlet and attempts to erase the fingerprints we know exactly 
which copies he has obtained, if he obtains copies form different outlets 
in the same geographic area we no longer know exactly which copies 
they are, but we know the outlets they came from, and if he obtains 
copies fom different geographical areas, we know the areas he visited, 
although we no longer know the individual outlets he obtained the 
copies from. Even in this last case, however, we still retain some infor- 
mation about the individual copies. Suppose, for example, that a 
pirate obtains copies P 4- F a + G x + H : and P + F 2 + G 2 4- H 2 . The 
owner who retrieves a tampered-with copy can determine that the 
pirate must have had access to at least two copies of the form 
P + F u + G h + H ki and P + F is + G- h + H ks where {\ v i 2 } = {j^,} 
= {kx,k 2 J = {1,2}, as shown in the following graph. 



189 



Hi 


H 2 




G 2 




G 2 


F, F 2 


Fi F 2 


Fi 


F 2 


Fi 


F 2 



Thus he knows there are only eight possibilities for the origins of the 
two shows. 

We have written largely in terms of discrete messages, i. e., mes- 
sages with finitely many symbols taken from a finite alphabet. But it 
is clearly possible to do something analogous with continuous messages. 
A reader who deals with these matters can fill in the details in the 
obvious way. 

NSA Grant MDA 904-83-H-0002 partially supported this work. 
References 

1. Neal Wagner, "Fingerprinting," Proceedings of the 1983 Symposium 
on Security and Privacy, pp. 18-22, IEEE Computer Society, Oak- 
land, CA, April 25-27, 1983. 



CRYPTANALYSIS OF DES WITH A REDUCED NUMBER OF ROUNDS 
SEQUENCES OF LINEAR FACTORS IN BLOCK CIPHERS 



David Chaum & Jan-Hendrik Evertse 

Centre for Mathematics and Computer Science 
Kruislaan 413 1098 SJ Amsterdam The Netherlands 

1 . INTRODUCTION 

A blockcipher is said to have a linear factor if, for all plaintexts and keys, there is a fixed 
non-empty set of key bits whose simultaneous complementation leaves the exclusive-or sum of a 
fixed non-empty set of ciphertext bits unchanged. 

Since it appears infeasible to test all possible combinations of key bits and ciphertext bits 
for DES [NBS 77], we tried to find linear structures in the separate rounds of DES and hoped 
that these structures could be combined to yield a linear factor over the whole cipher. This 
naturally led us to the notion of "sequences of linear factors." In general, there might be linear 
factors that cannot be derived from sequences of linear factors, but under our assumptions about 
DES (detailed below) it seems that factors for the whole cipher would consist of sequences of fac- 
tors for the individual rounds. Our notion of sequence of linear factors extends that of "per 
round linear factors" introduced by Reeds and Manferdelli [84]. The essential difference is that 
sequences of linear factors allow different rounds to have different linear factors, while per round 
linear factors must remain the same for each round. 

We have given several examples of blockciphers, consisting of consecutive rounds of DES, 
that are vulnerable to a known plaintext attack faster than exhaustive key search. For instance, 
the blockciphers consisting of the first 4, 5 or 6 rounds of DES can be attacked about 2 19 , 2 9 , 
and 2 2 faster than by exhaustive key search, respectively. The results presented do not work for 
the blockcipher consisting of rounds 1-7 of DES, but for the blockcipher consisting of rounds 2-8 
we can save a factor 2. 



This research was supported in part by the Netherlands Organization for the Advancement of Pure Research 
(Z.W.O.). 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 192-211, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



193 



The attacks considered are of the "meet-in-the-middle" type. Such an attack on a blockci- 
pher composed of R consecutive rounds of DES can be described as follows: Suppose a crypta- 
nalist has a plaintext p and corresponding ciphertext c. For each guessed key k the cryptanalist 
enciphers p with the first S rounds of DES yielding d', and deciphers c with the last R - S rounds 
yielding d". If d'=d", the cryptanalist concludes that k is the true key. Considerably less guesses 
for the key are required compared to exhaustive key search when there are i and y such that both 
the y'-th bit of d' and the y'-th bit of d" are independent of the i-th key bit. By independence we 
mean that for all p, c, and k, the y'-th bit of d' and the y'-th bit of d" are unchanged when the ;'-th 
bit of k is complemented. 

Meyer [78] argued that blockciphers consisting of R consecutive rounds of DES can have 
ciphertext bits independent of key bits if and only if R<4. In his arguments he used the 
unproved assumption that between two adjacent rounds of DES no dependencies are cancelled. 
This assumption means that if some output bit of the ;'-th round is functionally dependent on cer- 
tain input bits for the i-th round and if some of these input bits are functionally dependent on 
the r-th key bit, then that output bit is also dependent on the i-th key bit. Meyer's assumption 
can be considered as a special case of the assumption that linear factors in DES always result 
from sequences of linear factors in the individual rounds. Under this general assumption, we 
show that blockciphers consisting of eight or more consecutive rounds of DES have no linear fac- 
tors, and as a special case, that such ciphers are not subject to the kind of meet-in-the-middle 
attacks described above. 

The next section explains how linear structures can be helpful in cryptanalysis while intro- 
ducing some necessary notation. Subsequent sections consider whether DES with a reduced 
number of rounds has such structures. Potential extensions to more rounds of DES are men- 
tioned in our concluding remarks. 

2. LINEAR STRUCTURES IN BLOCKCIPHERS 

This section gives an overview of various kinds of linear structures which blockciphers can 
have, together with their possible consequences for cryptanalysis. Some of the ideas in this sec- 
tion are included in [Hellman et al 76] and [Reeds and Manferdelli 84]. 

Some elementary notation that will allow us to make precise statements in the remainder of 
the paper is now introduced. Let F 2 = {0, 1 } be the finite field of two elements. By F 2 we shall 
denote the vector space of rc-tuples over F 2 . Elements of F 2 are denoted by bold characters such 
as x or strings x\x 2 ■ ■ ■ x„, with x t £F 2 , an d with the coordinates of x commonly referred to as 
"bits." Elements of the cartesian product F 2 ' X ■ ■ • XF 2 r are often denoted by (\\, ■ - ■ ,x r ), 
where x, EF 2 for < — 1, ■ ■ • ,r. When using notions from linear algebra, such as vectors, vector 
spaces, bases, linear mappings, etc. we assume that the underlying field of scalars is F 2 . In par- 
ticular, the + sign denotes addition of vectors over F 2 , sometimes referred to as exclusive-or. If 
A is a linear mapping, then im(A) and ker(A) will denote its image and null space, respectively. 

r 

If is a vector space and if %], • • ■ , a ll r are subspaces of %, then 2 denotes the smallest 

7 = 1 



194 



subspace of % containing ,^L r . The subspace of % generated by the set {x a :a&A } is 

denoted by [x^ia^A]. 

By a blockcipher, we mean a mapping F:9llX9C-»9lt, where ^X^i ,%=$2 are the mes- 
sage space and key space respectively, such that for each k£5C, the mapping F(.,k):9lt-»9lt is 
invertible. We denote decryption by F _I :<3HX3C^>911, i.e. if c6?HL,ke5C then F _1 (c,k) is 
equal to p, where p is the element of "31L for which F(p,k)=c. Finally, if 

F u ■ ■ ■ ,F R :^M,X% -* < !JIt. are blockciphers, then the product F=F R F R _ 1 ■ - ■ F x of F u ■ ■ - ,F R 
is defined as follows: if pG'STl.kSX, and if the sequence Pi,Pz, • ■ ■ is defined by 



p 1 =F 1 (p,k),p2=F 2 (pi,k), • • • , p r =F,(p r _!,k), 
then 



F(p,k) = p, 

Let F:91LX3C-^giL be a blockcipher, where <Dt = F$\ % = ¥". If c=F(p,k) with 
P=/M " " ' Pm, k=^i • " • k n ,c=Ci ■ ■ ■ c m , then 

Ci^fiipx, ■ ■ ■ ,Pm,k u ■ ■ ■ ,k„) for i = l, ■ ■ ,m, (1) 

where the f-,:¥i + "-»F 2 are boolean functions. Suppose that there are sets • • ■ ,i s }Q 
{1, ■ • • • • • ,j r ) C {1, - • • ,m) such that the functions fj k are independent of the key 

bits kj with / different from / 1, • • • ,i s , that is 



This can be written more conveniently as 

c=F(p,k), (2) 

where ■ ■ ■ k ii ,c=c Ji ■ ■ - c,- , F:F2 XF 2 — »F 2 . 

Suppose that a cryptanalist knows a pair of plaintext and corresponding ciphertext (p,c) of 
F and wants to find the key k from the equation 

c=F(p,k). (3) 

The cryptanalist may use the following method: (i) solve k=k u - ■ ■ k h from (2) by exhaustively 
trying all k (a value of k can be tried by extending k to a key k by setting all key bits k t with i 
different from 1 1 , ■ ■ ■ ,i s to zero, computing F(p,k) and checking if the correct value of c 
appears) and (ii) solve k from (3) by exhaustively trying all k for which k it , ■ ■ ■ f k^ are equal to 



195 



the values found in (i). Assuming that in step (i) only one solution is found, the cryptanalist has 
to do about 



2 S + 2"~ S (4) 

computations of F before finding the key. In general, we may not assume that only one solution 
is found in (i). The number of solutions found in (i) can be reduced if the cryptanalist possesses 
M pairs of corresponding plaintext and ciphertext. Suppose that the cryptanalist has the 
plaintext-ciphertext pairs (Pi,C[), • • • ,(pm> c m) and wants to solve the key from 



c 1 =F(p 1 ,k),---,c w = F( PjW ,k). (5) 
Instead of doing (i),(ii), the following method may be used: 

(i'): try all values for k. If a k is found with i r (p 1 ,k)=C[, then check if F(p2,k)=c 2 , 
•F(P3,k)=C3, ■ • - until some / is found with .F(pi,k>^c, or i = M. Accept k as a solution if 
F(pi,k)= c, for/=l, ■■■ ,M; 

(if): try all values for k for which k^ • ■ • k it is equal to one of the accepted solutions in (i'). If 
i r (pi,k)=ci then check if i r (p 2 ,k) = c 2 , Ffa,k) = C3, ■ ■ - until F(p h k)^=Cj for some or i = M. 
Accept k as a correct key if F(p ; ,k)=c, for / = 1, ■ • ■ ,Af. 

This algorithm finds all keys k with F(pj,k)=c, for / = 1, ■ • • ,M. In order to estimate the 
expected number of encipherments needed in steps (i'),(ii') we make the following very heuristic 
assumptions: for k = 1, • • • ,r , / = 1, • • • ,M and for all wrong values of k=fc i] • ■ • k t the 
_//j(Pi>k) He. mutually independent uniformly distributed random variables on {0,1}; for all j 
different from j\ , • • • ,j' r , for all / in { 1, ■ ■ ■ ,M} and all wrong values of k the 7J(p,,k) are also 
mutually independent uniformly distributed random variables on {0, 1}. With these assumptions, 
the expected number of encipherments in step (i') is 



A/+(2 J -l)(l-2~0x(l+2X2 _r + 3X2" 2 ' +■ • - ■ ) 
2 s 

■c M + — 

l-2" r 

(where the term M comes from the correct value of k). The expected number of keys which have 
to be tried in step (ii') is equal to the product of 2" _I and the expected number of accepted 
values for k in step (i), namely 



2"~ J \ l+(2 s -l)2~ Mr j. 
Hence the expected number of encipherments in step (ii') is at most 



196 



M+ ^2"- s [l+(2 s -\)2~ Mr ^ -lj(l-2 r_m )) 
X ^ + 2X2'~"'+3X2 2( '"~ m) + - - 



\-2 r ~ m 

Therefore, the expected total number of encipherments is at most 

<ys o/i — -I i — Mr 

2M + — + — . (6) 

\-2~ r \-2 r ~ m 

If Mr>s this is only slightly larger than 2 s +2" ~ s . 

Suppose that G,H:?J\L X % ^9lL are two blockciphers and that F=HG. Suppose that a 
cryptanalist knows a plaintext-ciphertext pair of F, (p,c) say. Instead of solving the unknown key 
k from (3), a cryptanalist can try to solve k from 



G( J? ,k) = H- ] (c ) k). (7) 

Attacks in which k is solved from eq. (7) instead of (3) are called meet-in-the-middle attacks. Let 
A'=d'i ■ • • rf' m =G(p,k), A"=d"\ ■ ■ ■ d" m =H~ l (c,k). Suppose that there are subsets 
{i'i, • • ■ ,i s } of {1,...,k} and ■ • ■ ,j r ) of {\,...,m} such that rf' yi , • ■ • ,d'j r , d"j x , ■ • • ,d"j r 
are functionally independent of the key bits k, with / different from ,i s . In other words, 

there are boolean functions g\, ■ ■ ■ ,g r , h\, ■ ■ ■ ,h r such that 



d'j, =gi(j>,k h , • • • ,k it ) d" Jl =h x (c,k it ,k it ) 



d'j, =&<!»,*/, , ■ ■ " A,) d" lr =h r (c,k ll , ■ ■ ■ ,k„) 



(8) 



Now the unknown key k can be found by first solving k h , ■ ■ ■ ,/c, horn gi=hi, ■ ■ ■ ,g r ~h r and 
then solving the remaining key bits from (3) or (7). If the cryptanalist has M plaintext-ciphertext 
pairs, the number of G,H~ ] computations needed is given by (6). 

We now consider linear structures more general than independencies of ciphertext bits or 
"bits in the middle" from key bits. Suppose that A :ff-*¥2,B '.Fl^H ^ surjective linear map- 
pings and that there exists a function F such that 

^(p.k) = F(p,Bk) for p e 9IL , k e X (9) 

Given a known plaintext-ciphertext pair (p,c) it is possible to solve the unknown key k from 
c=F(p,k) by firstly solving k from Ac = F(p,k) and secondly solving k from c=F(p,k), under the 



197 



restriction that Ak=k. Using that im(A) has cardinality 2 s while the equation Ak=k has 2" ~ s 
solutions, a cryptanalist having M plaintext-ciphertext pairs can find the key in a number of enci- 
pherments which is given by (6). 

The linear structures which can be used in a meet-in-the-middle attack are more general 
than those explained above. Such structures exist if there are blockciphers G,H with F=HG, 
surjective linear mappings A :W2-*^i> B '-^2^i 311(1 functions G,H, such that for 
p,c£9H,ke9C, 

^G(p,k)=G(p,£k), AH- l (c,k)=H(c,£k). (10) 

As mentioned in the introduction, given a blockcipher F, it might be infeasible to find out 
if it has any linear factors. Instead of this, one might try to represent F as a product of crypto- 
graphically weak blockciphers and check if these weak blockciphers themselves have such linear 
structures. Suppose that Fj, ■ ■ ,F R : s JLX%-* s Jt are blockciphers and that F=Fr ■ ■ - F\. 
Let Aj (i =0, ■ • ■ ,R) be linear mappings on c Dlt and let B be a linear mapping on %. We call 
(Ag, ' ' ' ,A R ;B) a sequence of linear factors for F (with respect to F lf - ■ - ,F R ) if there are func- 
tions F, (i =0, ■ • ,R): im(^;_ 1 )Xim(5)^im(^ 1 ) such that for p<=9H ,k£3C , 

J 4^(p,k)= J F,(^, _ 1 p,5k) for i = 1, ■ ■ ,R. (11) 
Then there is a function F:im{A 0 )Xim(B)^im(A R ) such that 

A R F(p,k) = F(A 0 p,Bk). (12) 

Note again that there may be linear mappings A o,A R ,B satisfying (12) for some F which do not 
belong to sequences of linear factors. 

Let G=F M F M _ l ■ ■ ■ F u H-F R F R - X ■ ■ F M + \- Then F=HG. In a meet-in-the-middle 
attack we will need sequences of linear factors {A a, • • • ,A M ;B),(A' R ,A' R _[, • ■ • ,A' M ;B) for 
G,H~ l respectively, such that 

Am— A' M- 

Also note that if (A ' R , ■ ■ ■ ,A ' M ;B) is a sequence of linear factors for H~ l then 
(A' m> ' ' ' ,A' R ,B) is not necessarily a sequence of linear factors for H. 

We need no longer distinguish between sequences of linear factors (Aq, ■ ■ ■ ,A R ;B), 
(A'q, ■ ■ ■ ,A' R ;B') with kerG4,)=ker(,4',) (j =0, • ■ • ker(5)=ker(5'), since they give us 
exactly the same advantage in finding the key. Thus we are mainly interested in sequences of 
vector spaces (%,"f\, ■ ■ ■ , c \ r ^; a JS') where % =ker(^4 / ),'¥ = ker(B) for some sequence of linear 
factors (A 0 , ■ • ■ ,A R ;B). Such sequences of vector spaces are called sequences of factor spaces for 
F. The following lemma characterizes these sequences of factor spaces. 



198 



Lemma 1 . Let - • • £911 , % C9C be vector spaces. Then the following statements are 
equivalent. 

(') (%> ' ' ' ^r', 3 ^) is a sequences of factor spaces for F. 
(ii) F,(p+x,k+y) + F i (j>,k)S% 

forallie{l, ■ - ■ ,R] ,p<=9!t ,ke3C,xe%_ 1 ,ye<W. 

Proof: (i)-»(ii). Let {A Q , ■ ■ ■ ,A R ;B) be a sequence of linear factors for F with 

ker(Ai)=% (/ =0, • ■ • ,R), ker(B)=%. It is easy to check, that for /- 1, • - ■ ,iJ,pe<!)ll,kegC, 

A,F,(p + x,\i + y)=A i F i (p,k). 
This proves (ii). 

(ii)-^-(i). Choose linear mappings A 0 , ■ - ■ A R ,B such that ker(^,) =c V,- (/' =0, • - - ,R), 
ker(B)=%. Define functions F t : im(^, _[)Xim(5)^- im(,4,) (i = l, • • ■ ,R) as follows: if 
peim(y4, _!),kGim(£) then choose p,k such that A, -]p—p,Bk=k and put Fj(p,k)= AjFj(p,k). 
From statement (ii) it follows that the F t are well-defined (i.e. independent of the choice of p,k) 
and that for pe9K.,keDC , 

/l,f,(p,k) = F,(^,-,p,Bk). 
This proves (i). □ 

2.1. SOME GENERALIZATIONS 

Here we briefly mention some ways in which sequences of linear factors can be generalized. 
We have not looked for such general structures in DES. As before, F \, • • • ,F R are blockciphers 
and F=F R F R ~ ] ■ ■ ■ F\. One possibility is to consider sequences of factors (Ao, ■ ■ ■ ,A R ;B) 
where^4o> " ' ' >Ar;B are not necessarily linear mappings satisfying (11) for certain functions Fj. 
Such sequences can be helpful in cryptanalysis if B is a simple mapping, such as a linear map- 
ping, a mapping composed of low degree polynomials over ¥i, etc. 

A second generalization considers sequences of near linear factors. This notion is an exten- 
sion of an idea presented in [Hellman et al 76]. A sequence of linear mappings (Aq, • • • ,A R ;B) 
is called a sequence of near linear factors for F valid for a set S of pairs of plaintexts and keys if 
there are functions F t such that for each pair (p,k) in S and each with 

^/Pi=^(^,-iP,-i,5k) , 

where po = p , p, = -F,(p, - ] ,k). Suppose that F has a sequence of near linear factors 

(Aq. ■ • • ,A R ;B) valid for a set S containing pairs (p,k) for each key k or more generally, that F 

has sequences of linear factors (Aq, • • • ,A R ;B), all having the same A^A R ,B and valid for sets 



199 



Si, • • • ,S r respectively, such that Si (J • • ■ IJ^-- contains pairs (p,k) for each k. Then there 
exist a positive number C and a function F such that for each key k, the relations 

A R F(v,k)=F(A aV ,Bk) (13) 

are valid for a fraction of the plaintexts p. If a cryptanalist has C pairs of corresponding 

plaintext and ciphertext, then for each pair (p,c) the key can be solved, under the hypothesis that 
(13) holds for the plaintext p. Thus C keys are found, one of which is expected to be the correct 
key. 

A blockcipher F is said to have key clustering if there exist a mapping F and a non- 
injective linear mapping B such that for each key k, the relation 

F(p,k)=F(p,Bk) 

holds for a positive fraction of the plaintexts p. Desmedt, Quisquater and Davio [84] gave a few 
examples of key clustering in blockciphers consisting of at most three rounds of DES. The 
method by which these examples have been constructed can be described in terms of sequences of 
near linear factors as mentioned above. 



3. MEET-IN-THE-MIDDLE ATTACKS ON DES 



Independencies of "bits in the middle" from key bits in DES, which can be helpful in a 
meet-in-the-middle attack, are the subject of this section. First we give an overview of the map- 
pings used in DES, assuming that the reader is familiar with the NBS description of the Data 
Encryption Standard. (For the complete description, we refer to [NBS 77]). In this paper, we 
use a slightly modified version of DES in which IPJP ~ 1 ,PC1 are not used and E,P are com- 
bined to one table EP (cf. Davio et al [83], pp. 184-185). Thus the following mappings are used 
in our version of DES: 

EP-.F^^F** : EPx is formed from x as follows: first y — Px is formed by permuting the 32 bits 
of x; then EPx—Ey is formed by taking 16 of the 32 bits of y once and the other 16 twice; 

Sf.Fi-*f2 (/ — 1>''' the mappings defined by the S-boxes; 

S:Ff -»Fi 2 :5(x)=(S ] x 1 , • ■ - ,S 8 x 8 ) for x=(x,, ■ • • ,x 8 ) with XjGF 6 2 ; 

i,:Ff->Ff (' =1, • ' ■ ,16): L i k=PC2{C r(n k u C r(i) k 1 ) for k=(ki,k 2 ) with k,,k 2 eFf . Here 
Cx is formed from x by applying a cyclic left shift to the bits of x, r(i) is an integer determined 
by the shift pattern in the NBS-description of the key-scheduling and PC2(x,y) is formed from 
x,y by selecting 24 bits from x, selecting 24 bits from y and permuting the selected 48 bits in 
some order. 

The mappings EP,Li are linear. If A is a linear mapping, then we say that A sends p to q if A 
maps the vector of which only the p-th bit is equal to 1 onto a vector of which at least the q-th 



200 



bit equals 1 . If A maps the vector with only a 1 in its p-xh bit onto 0, we say that A does not 
choose p. Thus EP sends each p in {1, • • • ,32} to either one or two elements of {1, • • • ,48}, 
while each ^in{l,---,56}is either not chosen by L, or sent to exactly one element of 
{1, ■••,48). 

We shall now algebraically describe our version of DES. The message space is F^ 4 . Ele- 
ments of Ff* be written in the form (x,y), where x,yeF| 2 . Th e kev space is F^ 5 - 

The mappings F^Ff XF^-^Ff 4 (i = 1, ■ • - , 16) ( the "rounds" ) are defined by 

f i (<to,qi,k) = (qi,q 0 +S(EPm +£,k) ) for (qcqoeFf.keFi 6 
and DES iff X f\ 6 ^>f? is denned by 

DES = F l6 F x <, 

Thus if q2,qj, ■ • • are defined by the recurrence sequence 

q I - + l=q,--i+5(J?i'q i +L ) -k) (z = l, - ■ - ,16) 
then DES(qo,qi,k) = (q l6 ,q, 7 ). 

Let R, T be integers with 1 ^i? 16. We define 



DESr t—FtFt -i ' • " Er, 
Let R,M,T be integers with Ki?<M<r<16. For p.ceFf.kSFl 6 , we put 



d'=d\ ■ ■ ■ d' M -DES RiM (p,k) , 
A" = d" x ■ ■ ■ d" M =DES M ] +hl icX) , 
k=fei ■ ■ ■ k 56 . 



Our aim is to find out if there are subsets {(|, ■ ■ • ,164}, {J\, ■ ■ ■ ,j r } of 
{1, • • • ,56},{1, ■ ■ ■ ,64} respectively, such that d'j t , ■ 
independent of the key bits kj with different from i \ , 



(14) 



d"j r are functionally 



Let p,c have the same meaning as above and put p = (q/j -1 .q«),c = (q'r.q'r + i)- Define the 
sequences q J? _i,q J i ! ,q R + l , • - ■ , q' r + 1 ,q' r ,q'r- 1» • • • b y 



q l+l =q 1 .i+S(EP^+L,k) (i=R,R+\, ■■■), 
()',- l =q', + i+S(£Fq',+I,k)(i = T,r-l, ■ ■ ■ )' 



201 



Let /e{l, - ■ • ,56}. We define the sets Xj{t) (i -R-\,R,R + \, ■■•), X\(t) 
(i = T + 1 , T, T — 1 , • ■ ■ ) recursively as follows: 



X R - X {t)=X R (t)=0 ■ X' T + ] (t) = X' T (t)=0 ; 

Xi + 1 (?) is the set of indices of the bits of q, ■ + \ which functionally depend on 
some of the bits of q, with indices in X,(t), some of the bits of q, _i with 
indices in A} _ \ (r) and eventually k, ; 
X'i-] is defined similarly in terms of X';,X'j -i,k,. 



(15) 



Obviously, the sets of bits of q/, q'/ respectively, which are functionally dependent on k, are 
included in Xj{t),X' t (t), respectively. An equivalent formulation of Meyer's assumption men- 
tioned in §1 is that all indices in Xj(t),X'j({) are of bits of q,,q', which are functionally dependent 
on k,. For each r, we shall recursively compute the sets X,(t),X' To this end, we introduce 
the following sets: 



Ui = {\,2, ■ ■ ■ ,6}, U 2 = p, ■ ■ • ,12}, . . ■ ( U s = {43, ■ ■ ■ ,48}, 
V x ={1,2,3,4}, V 2 = {5, ■■■,&}, K 8 -{29, ■■-,32}. 

Put Wj{t)= 0 if L, does not choose t and W,(t)= {J} if L, sends t to an element of Uj. Finally, 
let 5F be a function, mapping subsets of {1, • • ■ ,8} onto subsets of {1, • • • ,8} which is defined 
as follows: *S;{A) is the set of integers j with the property that there is an i such that EP 
sends an element of V i to an element of Uj. In particular, 5(0) = 0. 



^({1})= 


{2,3,4,5,6,8} 


5F({5}) = 


{1,2,3,4,6,7} 




5({2})= 


{1,3,4,5,7,8} 


^({6}) = 


{1,2,3,5,7,8} 


5(0)= 0 


f({3})= 


{2,4,5,6,7,8} 


^({7}) = 


{1,2,3,4,6,8} 


<3(A \JB) = <!)(A)\J$(B) 


f({4}) = 


{1,3,5,6,7,8} 


5({8})= 


{1,2,4,5,6,7} 





table 1 : the function it 



We define the sets V R ^^t),V R (t),V R+ \(t), • ■ • , V' T ^ x {t).V' T {t\V' T - X {t), • ■ • recur- 
sively as follows: 

v R - l (t)=v R (t)=0, v't + i(t)-v T (i)=0, 1 

^iCl^i-iOU^WDU^OO^M + i'-)' \ ( 16 > 

K',^ 1 (/)=F' ; + 1 (/)U^(^(0)U i'=T,T-\, ■ ■■)] 

Using that for each S-box in DES, all four output bits functionally depend on all six input bits, 
we obtain 



202 



U V J . *'i<0= U V J- (17) 

Hence the integers y in {1. - - • ,64} such that at least one of the bits d 'j,d' ' j (cf. (14) ) depends 
on k, belong to the set 



Q(t) = X M {t) U X' M (t) U j7>32:y-32eX M + ,(OU*'w-i(Oj (18) 

It is very easy to compute the sets Q(t), using the recurrence relations (16).For each subset I of 
{1, • ■ • ,56}, the set J of integers in {1, ■ ■ ■ ,64} not belonging to any of the sets Q(t) with t El 
has the property that for j EJ, both d'j,d"j, are functionally independent of the A:, with i El . 
The examples for the sets /,/ in the table below have been obtained by computing for each j the 
set of t such that j <£ Q (/). N = T — R + 1 denotes the number of consecutive rounds. 



R 


M 


T 


A r 




I 


#1 


1 


2 


4 


4 


9,10,11,12 


1,3,4,10,14,15,18,25,28,32, 
35,38,41,42,44,48,49,52,56 


19 


1 


T 


4 


4 


41,42,43,44 


5,9,13,19,20,23,24,26,27,30, 
33,36,37,39,43,44,47,51,55 


19 


1 


2 


5 


5 


41,42,43,44 


5,20,26,27,30,37,43,44,51 


9 


1 


3 


6 


6 


5,6,7,8 


7,28 


2 


1 


3 


6 


6 


17,18,19,20 


36,45 


2 


1 


4 


7 


7 








2 


5 


8 


7 


5,6,7,8,13,14,15,16 


21 


1 



table 2 



In the theorem below we state that non-empty sets IJ of the same type as in table 2 can 
not be found for blockciphers consisting of 8 or more consecutive rounds of DES. 

Theorem 1 . Suppose that R, T are integers with R > 1, 7"sS 16, T>R f 7. Then for every integer M 
with R<M^T and for each t in {1, • ■ • ,56}, Q{t) = {\. ■ ■ ■ ,64). 

Proof: Let t,M be integers with K/ =S56, R =S,M< T. The key scheduling of DES has the pro- 
perty that each integer in {1, ■ - ■ ,56} is chosen by at least one of the mappings L,,i, + i for 
/ = { 1, ■ ■ • , 15}. This can be verified by using the fact that the only integers in { 1, ■ • • ,56} not 
chosen by PC2 are 9,18,22,25,35,38,43,54. Hence if there is an integer not chosen by L, and Lj 
then /•((')— r(J) must be equal to the difference (mod 28) of two of the integers 9,18,22,25 or of 
two of the integers 35,38,43,54. But r(i + l) — r(i) is either equal to 1 or 2 for ;' = 1, • • ■ , 16. 
From the recurrence relations (16) we infer that the sets Vr+iU). V't-iU) are non-empty. It is 



203 



easy to check from table 1, that 2 (§" iterated twice) maps each non-empty subset of 

{1, • • • ,8} onto (1, ■ • • ,8}. Again by (16), we infer that V R +4 {t) = V R +s (t) 

= • • • ={1, ■ ■ • ,8}, r r _ 4 = V' T - S =... = {1, • • • ,8}. We have either M>R +4, or 

or M + 1-R + 4 and M = T-A. In these three cases, we have X M (t)\jX' M (t)= 
4+i(')U X' u + \(t)-{\, ■ ■ ■ ,32). This proves Theorem 1. □ 

Remark. By a similar method as in the proof of Theorem 1, one can show that in case T—R +6, 
Q(t) can only be a proper subset of { 1, ■ - ■ ,64) if t is not chosen by both L R and L T . From the 
shift-pattern one recovers that r(R +■ 6) — r(R) is equal to either 1 1 or 12 for R = 1,2, • • • , 10. If 
PC2 is made in such a way that no difference of the integers not chosen by PC2 is congruent to 
1,2,1 1 or 12 (mod 28) then in Theorem 1 we can replace R +7 by R + 6. We do not know if, by 
a proper choice of PC2, R +7 can be replaced by R +5. 



4. SEQUENCES OF FACTOR SPACES IN DES 

In this section we shall investigate the sequences of factor spaces in blockciphers consisting 
of a reduced number of rounds of DES . We shall use the same notation as in the previous sec- 
tions. In particular, the blockciphers F,:^ XF*-* F| 4 are defined by F,(qo,qi,k)= 
(qi.qo + S(£P qi + L,k)) for (qo.qOeFf 4 and keFf, and DES RS =F r F T - ] ■ ■ ■ F R . We shall 
implicitly assume that the sequences of factor spaces we will consider are all with respect to 
•Fri ' ' ' ,Ft- O ur ai™ is t0 investigate if DES R j has sequences of useful factor spaces. (A 
sequence of factor spaces fi R _ , ,"f R , ■ ■ ■ ^r,^) is called useful if ^"^[O] and ^ T ^f)- 

Example 1. Let t e {1, • • • ,56} and let X R _| (i),X R (t), • • • be the sets recursively denned 
by (15). Let % be the spaces of vectors of which the bits with indices outside 

y,W = ^(0 U |y>32:y-32e^ +1 (oJ 

are 0 and let <W be the space generated by the vector in f| 6 of which only the /-th bit is equal to 
1. Then (Y R -\, C Y R , ■ ■ - .Tj-^Jf) is a sequence of factor spaces for DES R: t and this sequence is 
useful if and only if Y T (c) is properly contained in { 1, ■ ■ ■ ,64). 

Example 2. Reeds and ManferdelH [84] introduced the notion of a "per round linear fac- 
tor" for DES. A per round linear factor is a linear mapping A on ff for which there exist a 
mapping S with AEPS =SA. If there exists a per round linear factor A which is neither inverti- 
ble nor has the property that AE maps each vector to 0 then one can prove that • • • , C V; S I)S) is 
a useful sequence of factor spaces for DES R t, where 



T=[(v 0 ,v 1 )eF^:^£v 0 =/!£vi=0] , 
m=[k<EFl (, :L R k = L R ^ ] k= ■ ■ ■ =L r k = 0] 



204 

If %<& are subspaces of F^.F^ 8 respectively, then the spaces S p ( c T),S K ( e lL) are defined by 

5 p ( c V) = [(v 1 ,v 0 + S(£i'T,+c) + S(c)):(v 0 ,v I )e c V,eeFf], 
5 K (^)=[(0,5(u+c)+S(c)):uG%,ceFf ] . 

Lemma 2 . Let "Vr - 1 , "f R , - ■ ■ , "Vj- C F f , % C F i 6 vector j/wzcar. 77ien f/ie following state- 
ments are equivalent: 

(i) ( c Tr _ i " ■ ■ y'Yf' 6 ^) is a sequence of linear factors for DESr j- ; 

(ii) S p (%-i)+S K (L,(W))Q% for i=R,R + 1, • • ■ J. 

Proof: In view of Lemma 1, it suffices to show that for i = R,R +1, • • ■ ,T, 



[i r i (qo+vo,q,+v 1 ,k + w) + /-,(q 0 ,q 1 ,k): (qo,q,)GFf ,k£Ff ,(v 0 ,v,)G ^wG^] . 



Denote the right-hand side of (19) by <¥,-. Let z" G {/?, • ■ • , T}. It is easy to check that for 
(v 0 ,v,)GT,cGFf, 



(vi , v 0 + S (EP v , + c) + S (c) = Ft ( v 0 , V! , k) + Fi ; (0, 0, k), 
where kGFf 6 is chosen such that L,k=c. This shows that 

S p {%^ l )C a HS l . (20) 
It is also easy to verify that for wG a Jf,cGF2 8 , 

(0, S (L, w + c) + S (c)) = F,(0, 0, k + w) + F (0, 0,k), 
where again kGF^ is chosen such that £,k = c. Hence 

S K (L,{%))Q%i. (21) 
On the other hand, for (q^qOGFf ,kGF^(v 0 ,vi)GT, _ ^wG 1 ^, 

■F"/(qo+T 0 ,qi +v 1 ,k+w) + F i (q 0 ,q 1 ,k) 

= (vi,v 0 +5(£Pvi + L,w + EPq l +Z,,-k) + 5(£Pq, + L,k)) 
= (v,,to+S(£Pv,+c 1 )+S(c 1 ))+(0,5(L i -w + c 2 ) + S(c z )), 

where 



c, =L,w + £Pq, +L,k , c 2 =£Pqi + L,k 



205 



Hence 

%CS P (%_0 + S*C£,W)- (22) 
A combination of (20),(21),(22) yields (19). □ 

In the statement of the next lemma, we use the following notation. Define the linear map- 
pings P/ :F?-*Fi p',*\-+*?, pT U:F?^f as follows: 

Pi{x)—Xi for x=(xi, • ■ • ,x 8 ) with x b ■■■ ,xg GF* ; 
P*(y) = (°. ' " ' .0,y,0, •■■,<>) (with y on the i-th place) ; 

P r(y)=(0,p*(y)) ; 

U(x,y) = EPy. 

Finally, for any subspace °il of F*, we define the spaces Tj(G&,),T' j(?tL) 0 =1. ' ' ' .8) by 

7)(%) = [Sj(u + c) + Sj -(c):u G % ,c G F f ] , 
r/ l ?l)=[S / -(u+c)+5y(c)+5 / (u) fS ; (0):u£%,cGF2] • 

Lemma 3. Ler T-[(v 0 y,yi ; ):y = 1, • • ■ ^jCF* 4 , W = [w / -:j = 1, • ■ • ,q]Cff be vector spaces. 
Then 



S P TO=[(vi y -,voy + S(£/>Y ly )+S(0)): j = 1, •■•,/»] + 2 prr'*(p^(T>} (23) 

* = 1 



S JC ( s £r) = [(0,S(w / -)+S(0)):j = 1, ■•■,?] + 2 P* ZMM'tf)}. (24) 

A =1 

Proof: We shall only prove (23); (24) can be proved in a similar way. For convenience, we intro- 
duce the following notation: 

s(v 0 ,v 1 ,c)=(v 1 ,vo+S(£?v 1 + c) + S(c)) for (vo.vOGFf 4 ,cGFf ; 
f ; (u,c) = 5 / (u + c)4-5 y (c) + 5 ; (u) + S y (0) for u,ceFf. 

First of all we remark, that for subspaces % , L Tj of Ff 4 , 



S P CT,+^ 2 ) = S P rv' 1 ) + S P 0 2 ) 



(25) 



206 



and that for subspaces %i,%2 of F*, 

T'ji^i +% 2 )= T'j(flLi) + T'j(% 2 ) for j = 1, • ■ • ,8. (26) 
(25) foDows easily from the identity 

^v'o+v'o.v'! +v"i,c) = s(v'o,v'i,c+£'/'v" I )+s(v" 0 ,v"i,c) 
for (v' 0 ,v" 1 ),(v"o,v" 1 )eFf 4 ,cGFf, 

while (26) is an easy consequence of the identity 

tj(u' + ll", C) = tj{\i, U" + C) + fy(u",c) + f/u', U") 

for u',u",c£Ff ,y' = l, - - ,8. 
In view of (25),(26), it suffices to prove (23) for p= 1. Let c V=[(vo,vi)] and put 

V= [(vi ,v 0 + S (EPv x ) + 5 (0)1 =[s(vo,ti ,0)] , 

^■ = p;*r y {p y t/([v,]) }=[ P "f ; (p / -£Pv,,c):ceFS] for y = l, • ■ • ,8. 
From the identity 

g 

s(v 0 ,v,,c) =s(vo,y 1> 0) + 2 prrfc(Pfc£^i,p*c) forcEFf, (27) 
* = i 

it follows easily that 

8 _ 

5 f (T)C c V+ 2 ^fr. (28) 

k = \ 

On the other hand we have 

-TC^CV). (29) 
Let deF* and choose cGFf such that p ; (c) = d,p fc (c)=0 for /c^=j. Then (27) implies that 

p'j't/PkEP,, ,d)=s(vo,v, ,c)+s(v 0 ,v 1 ,0). 
Hence 



% J C5 i> 0') for 7 = 1, - - - ,8. 
Now (23) follows at once from (28),(29),(30). □ 



(30) 



207 

Lemma 3 shows that for each subspacc "f of Ft 4 ( a £ of F2 6 ) the space ),($*(<¥)) 
can be expressed as the sum of a space generated by a set of vectors of which the cardinality is 
not larger than the dimension of Y (% ) and spaces which can be described completely in terms 
of the S-boxes. Thus Lemma 3 provides us a rather efficient method which checks if a given 
sequence of spaces (T^ -i.'Y/f, ■ ■ ■ , c Vy, <! >J)) is a sequence of factor spaces for DESr^t- From the 
arguments used in the proof of Lemma 3 it is clear, that this method can be applied also to a 
general class of block ciphers which can be described in the same way as DES, with arbitrary S- 
boxes (which can be different in each round), an arbitrary linear mapping instead of EP (where it 
is allowed that in different rounds different linear mappings are chosen) and arbitrary surjective 
linear mappings instead of the 1^ . 

We shall now give explicit expressions for the spaces S p ("i) , S / '( S M'). For this purpose we 
have only to compute the spaces r'(%) with % CFf- 

Lemma 4 . For all g in {1, • • • ,8} and all subspaces % of ¥2 with 3l^[0], we have 
T g { s lL) = T' g ( s ll) = ¥2, with the following exceptions: 

r 4 ([oooooi])=(i 100,001 1,1010] ,r 4 ([oooooi])=[i 100,0011] ; 

r 4 ([101110]) = T' 4 ([10niO]) = [1010,0101] ; 

r 4 ([ioiiii])=r 4 ([ioiiii])=[iooi,ono] ; 

r 4 ([000001, 101 110]) = T' 4 ([000001, 101 110])--[1 100,001 1,1010], 
Proof: This can be verified by straightforward computation. □ 

In the theorem below, the sets S P (Y '),§ K (%~ ), with %■¥ being subspaces of frf^f 
respectively, are defined by 

S f (V) = {g:l<£<8, PgUfryftO] }, 

s JC («of)={ g: :i<g<8, Pj<-'j$>?qo] }. 

Theorem 2. Let %%' be subspaces o/F^.F^ 8 respectively. Then 
where 

^=[(vi,v 0 )]:(vo,v,)e-V! /7p 4 f/(T}#[000001] , 



f« = 0 ifp 4 EPv] =000000 
(v,,v 0 +a P4 (1010)): (v n ,v,)eY, i l if p#Ep ^ = Q0000 i 



208 



i/P4U(T) = [000001] ; 
and where 

with the following exceptions i/4GS ; '(T): 

^4 = ^4* ([1100,0011]) ifp A UC0 = [000001] ; 
c V 4 = p"([1010,0101]) i/p 4 l/OV) = [101110] ; 
% = p" ([1001,0110]) ;/p 4 f/(T) = [101111] ; 
V^pJ* ([1100,0011, 1010]) ifp 4 U( c T) = [00000 1,10 11 10] . 

wAwe ^ g =p^* f\ f or g ^ § K ( S IS) wj'f/i Me following exceptions if 4 6 S ^(W ); 

^4 = p" ([1010,0101]) i/> 4 (<W) = [101110] ; 
t ¥ 4 =pr([1001,0110])i/-p 4 (<¥) = [101111] ; 

6 JL f 4=p" ([1100,0011, 1010]) //p 4 (<¥) = [000001] or [000001,101110] . 

Proof: The proofs of (i),(ii) can be derived easily from Lemmas 3,4. We shall only give a rough 
sketch of the proof of (i). By Lemma 4, 

p's' [ s g(Pg v ^ ) + 5 ar(°)] e % for g G S P (<V) 
except when g =4, p^-Pvj =000001. This proves that for (v 0 , there is a vector 

(v,,v 0 +S(£/ J v 1 ) + 5(0)) = (v il v 0 +u) if p 4 £Pv, =^000001 , 
(vi.vo+S^PvO + SCO)) = 

= [vi,>0+P4*{5 4 (P4^V 1 ) + S 4 (0)} ] +U 

= [v,,v 0 +p"(1010)j +u 
if p 4 £Pv, =000001. 

These facts immediately prove (i). □ 



209 



We shall now prove that blockciphers consisting of eight or more consecutive rounds of 
DES are resistant against a meet-in-the-middle attack using sequences of factor spaces. To this 
end we shall need the following lemma. 

Lemma 5 . Let T>R +3. If (Y R _ , ■ • ■ ,^ T ; G T£) is a sequence of factor spaces for DES Rr 
with "¥^=[0], then 

(0 ^+32[(0,y):yeF| 2 ], 
(ii) ^ + , = Ff forf>4 

Proof: (ii) is an immediate consequence of (i) and Lemmas 2,4. We shall now prove (i). Since 
all elements of {1, • • • ,56} are chosen by at least one of the mappings L R ,L R+ \, at least one of 
the spaces S K (L R (%)),S K (L R + ,(%)) is =£[0]. By Lemma 2 and Theorem 2, 

for some non-empty subset S of {1, • • • ,8}, where =pj*(Ff) if g^4 and <vj = p"(yL l ) with 
%' being a subspace of f\ with ^=^[0] in case that 4eS. The space has the property that 
for each j in (1, ■ - ■ ,4} there is a vector ;c 1X2*3*4 in with Xj=j£Q. EP sends the indices of 
the output bits of S-box S, (i.e the elements of {4/ —3, ■ • • ,4/}) to the indices of the input bits 
of 6 different S-boxes, namely the S-boxes with k £?([/}), where ?F is the function defined in 
table 1. Together with Lemma 2 and Theorem 2 these facts imply that 

where 'Y^p**^) for and when 4E 5 F(s), 'T|=p**(% 2 ) for some subspace % 2 of F2 with 
% 2 =r^[0]. We remark that 

S p (p"^\))Op7^l) for #=2,3,5,7,8, (31) 

hence % 2 =F2 if one of the numbers 2,3,5,7,8 belongs to S . Since ^ (S) has cardinality at least 
6, at least one of the numbers 2,3,5,7,8 belongs to "J (a). By repeating the argument from above, 
and using that W 2 maps each non-empty subset of {1, ■ • • ,8} onto {1, ■ ■ ■ ,8} , we obtain 

"\« + 3 2 2 Py"(F!>=K0,y):yeF2 2 ]- 

This completes the proof of Lemma 5. □ 

Lemma 5 includes the result of Meyer mentioned in §1. Another consequence of Lemma 5 
is that the only per round linear factors of DES are the linear mappings A '.fj"^^! f° r which 
either A is invertible or AE maps each vector of F2 2 onto 0. (cf. example 2 at the beginning of 



210 



this section.) This fact was already proved by Reeds and Manferdelli [84]. 
We shall now prove our final result. 

Theorem 3. Let R,M,T be integers with KR<M<T*Z16 and T>R +7. Let 

("in-i^R, ■ ■ ■ ^m'^JS), ('VV,Tj--i, • ■ ■ ^'m'^JS) be sequences of factor spaces for 
DESj{ M ,DESm X + \ : t, respectively, such that a £^[0] and "v' m—*'i'm- Then 

Proof: In the proof we shall use that the inverse of a round of DES (i.e. one of the blockciphers 
Fi) is equal to the round itself, except that the left half and the right half of both plaintext and 
ciphertext must be interchanged. 

We distinguish three cases: (i) M^R 4-4; (u) AKT-5: (lii) M = R 4-3=7-4. In case (i) 
we have = F2 4 > by Lemma 5, (ii). In case (ii) we can prove, completely similar to Lemma 5, 
(ii), that "{ M = Fi 4 , using that all elements of {1, • • • ,56} are chosen by at least one of the map- 
pings L T ,L T - { . In case (iii) we have firstly, by Lemma 5,(i), ~Ty = '"V/( + 3 D [(0,y):y eF^ 2 ]- By 
an argument completely similar to the proof of Lemma 5 (i). one has T=T'j-_4 3 
[(x,0):xEF2 2 ]- This completes the proof of Theorem 3. □ 

Remark. By changing PC2 in the way described at the end of §3, it is possible to replace 
the condition T>R +7 by T>R 4-6 in Theorem 3. This can be proved in a similar way as 
Theorem 3. 

CONCLUDING REMARKS 

Linear structures allowing known-plaintext attacks on blockciphers have been investigated, 
particularly those consisting of a reduced number of consecutive rounds of DES. The first struc- 
tures we looked for were "bits in the middle" independent of key bits. Such independencies were 
found only in blockciphers comprising less than eight rounds of DES. We discovered that PC 2 
was not optimal in the sense that by a change of PC 2 blockciphers of seven instead of eight con- 
secutive rounds of DES would have no "bits in the middle" independent of key bits. The 
existence of such independencies in blockciphers for such numbers of rounds depends only on the 
structure of the tables E. P. and PC 2; these independencies would hold for any S-boxes. More 
general linear structures were also considered, namely sequences of linear factors. The existence 
of these factors depends not only on the structure of E, P, and PC2, but also on the structure of 
the S-boxes. In spite of some linear structure in S-box 4, we were able to show that blockciphers 
consisting of eight or more consecutive rounds of DES do not have sequences of linear factors 
with respect to these rounds that can reduce the search time for the key in a meet-iu-the-rniddle 
attack. 



211 



A natural extension of the attacks described in this paper would seek changes in the tables 
defining the S-boxes that yield S-boxes with linear factors cooperating to give useful sequences of 
linear factors. (One might even change the S-boxes differently in different rounds.) Any 
sequence of linear factors for the cipher with the modified S-boxes is then a sequence of "near" 
linear factors for the original cipher. (As has been pointed out in §2. such attacks generalize 
several ideas in [Hellman et al 76] and [Desmedt, Quisquater and Davio 84].) In this way one 
might obtain sequences of near linear factors that allow cryptanalysis of blockciphers consisting 
of eight or more rounds of DES. 

REFERENCES 

(1) National Bureau of Standards, "Data Encryption Standard", U.S. Department of Com- 
merce, FIPS pub. 46 (January 1977). 

(2) Davio, M, Desmedt, Y., Fosseprez, M, Govaerts, R., Hulsbosch, J., Neutjens, P., Piret, P., 
Quisquater, J.J., Vandewalle, J., Wouters, P., "Analytical characteristics of the DES," in 
Advances in Cryptology: Proc. Crypto '83, D. Chaum, ed., Plenum, New York (1984), pp. 
171-202. 

(3) Desmedt, Y., Quisquater, J.J., Davio, M., "Dependence of output on input in DES: Small 
avalanche characteristics," in Advances in Cryptology: Proc. Crypto '84, G.R. Blakley and 
D. Chaum, eds., Lecture Notes in Computer Science 196, Springer- Verlag, Berlin (1985), 
pp. 359-376. 

(4) Hellman, M., Merkle, R., Schroeppel, R., Washington, L., Diffie, W., Pohlig, S., Schweitzer, 
P., "Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard," 
Information Systems Lab. report SEL 76-042, Stanford University (1976). 

(5) Meyer, C.H., "Ciphertext-plaintext and ciphertext-key dependencies vs. number of rounds 
for the Data Encryption Standard," AFIPS Conference Proceedings, 47, (June 1978), pp. 
1119-1126. 

(6) Reeds, J.A., Manferdelli, J.L., "DES has no per round linear factors," in Advances in Cryp- 
tology: Proc. Crypto '84, G.R. Blakley and D. Chaum, eds., Lecture Notes in Computer 
Science 196, Springer-Verlag, Berlin (1985), pp. 377-389. 



Is DES a Pure Cipher? 
(Results of More Cycling Experiments on DES) 1 

(Preliminary Abstract) 

Burton S. Kaliski Jr., Ronald L. Rivtst, and Alan T. Sherman 

MIT Laboratory for Computer Science 
545 Technology Square 
Cambridge, MA 02139 
December 1985 



Abstract 

During summer 1985, we performed eight cycling experiments on the Data Encryption Stan- 
dard (DES) to see if DES has certain algebraic weaknesses. Using special-purpose hardware, we 
applied the cycling closure test described in our Eurocrypt 85 paper to determine whether DES is 
a pure cipher. We also carried out a stronger version of this test. (A cipher is pure if, for any keys 
i,j,k, there exists some key / such that Tl-Xj- -1 !* = T ( , where T w denotes encryption under key 
w.) In addition, we followed the orbit of a randomly chosen DES transformation for 2 36 steps, 
as well as the orbit of the composition of two of the "weak key" 1 transformations. Except for 
the weak key experiment, our results are consistent with the hypothesis that DES acts like a set 
of randomly chosen permutations. In particular, our results show with overwhelming confidence 
that DES is not pure. The weak key experiment produced a short cycle of about 2 33 steps, the 
consequence of hitting a fixed point for each weak key. 

Key Words and Phrases 

Birthday Paradox, closed cipher, cryptanalysis, cryptography, cryptology, cycle-detection algo- 
rithm, Data Encryption Standard (DES), finite permutation group, idempotent cryptosystem, 
multiple encryption, pure cipher. 



'This research is supported by N'SF grant MCS-8006938 and IBM. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 212-226, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



213 



1 Introduction 

At the Eurocrypt 85 conference, we presented experimental statistical evidence that the set of 
DES transformations is not closed under functional composition [KH.S85]. 2 During May to Au- 
gust 1985, we performed additional experiments to determine if DES has certain other related 
algebraic weaknesses. In particular, we addressed the open question, "Is DES a pure cipher?" 3 
In addition, we performed a strengthened version of our closure test and we ran two experiments 
to investigate the order of DES transformations. Using a combination of software and special- 
purpose hardware, we carried out eight experiments, covering five different algebraic tests. Al- 
though we experimented only with DES, our tests are general in nature and apply to any to finite, 
deterministic cryptosystem. 

None of our experiments involving randomly chosen DES transformations detected any alge- 
braic weaknesses. In particular, our data show with extremely high confidence that DES is not 
pure. However, one experiment inadvertently discovered fixed points for two of the keys, thereby 
revealing a previously unpublished additional weakness of the weak keys [Dav82]. 

This abstract is organized in four sections. Section 1 gives an overview of our experiments 
and explains the purpose of our tests. Section 2 introduces the notation and terminology used 
throughout the abstract and summarizes previous cycling studies on DES. Section 2 also briefly 
reviews the cycling closure test and describes our hardware implementation of it. Section 3 lists 
concise descriptions of our algebraic tests. Finally, section 4 summarizes our findings and explains 
the two interesting structural properties that we encountered during our tests- An appendix which 
describes our detailed experimental results is also included. 

1.1 Overview and Motivation 

It is important to know if DES is pure for essentially the same reasons that it is important to 
know if DES is closed. If DES were pure, then Tuchman's multiple encryption scheme would be 
equivalent to single encryption, and DES would be vulnerable to a known-plaintext attack that 
runs in 2 28 steps on the average [KRS85].' 1 It is possible that DES is pure, but not closed. (Of 
course, if DES were closed, then DES would also be pure.) Although there is no particular reason 
to suspect that DES is pure, it is unknown in the open literature if DES has this weakness. 

The question "Is DES closed?" is a question about the order of the group generated by DES. 
A related and more detailed question — which we call the smalt subgroup question — is: "What is 
the order of the group generated by n given DES transformations?" Any set of DES transforma- 
tions that generates a small group would suffer the weaknesses of closed ciphers. Specifically, any 
such set of transformations would be vulnerable to our known-plaintext attack against closed ci- 
phers. In addition, multiple encryption (using either sequential multiple encryption or Tuchman's 
scheme) involving only transformations from such a set would be equivalent to single encryption 
from the set. 5 Finally, when used in output-feedback mode with feedback width 64 [FIS80], any 
transformation from such a set would be at greater risk to produce a key stream with short period. 

2 The Data Encryption Standard (DES) is a federal standard for the cryptographic protection of computer data, 
adopted in November 1076 by the United States National Bureau of Standards (JIBS) [FIPS77,DaP84j. 
3 See section 2.1 for a review of the definition of a pure cipher. 

4 To encrypt a message x under Tuchman's scheme is to compute T^T^^T^z). where the keys and k are 
chosen independently [Tuc78,MeM82l. 

5 To encrypt a message z using sequential multiple encryption, is to compute r,T, (x), where the keys : and j are 
chosen independently [MeHSl!. 



214 



Two of our tests address the small subgroup question for n = 1,2. 

To test DES for purity and other algebraic weaknesses, we examined the orbits of subsets 
of DES transformations on particular messages. Our method was to compute the orbits of sin- 
gle DES transformations and to apply our cycling closure test to subsets of two or more DES 
transformations. To carry out the tests we built special-purpose hardware and implemented a 
variation of the constant-space cycle-detection algorithm described by Sedgewick and Szymanski 
[SSY82]. We applied our tests both to randomly chosen transformations and to transformations 
with special properties {e.g. transformations represented by weak keys). The dominant theme of 
our tests was to determine if DES has algebraic properties different from those expected from a 
set of randomly selected permutations. 

Since there is an overwhelming chance that even two randomly selected permutations will 
generate either the alternating group or the symmetric group [BoW77,Dix69], we did not expect 
to detect any pairs of DES transformations that generate small groups. 

2 Background 

2.1 Definitions and Notation 

The Data Encryption Standard (DES) specifies a mapping T : < x M -* M, where < = {0, l} 56 is 
the key space and M = {0, l} 64 is the message space. Each key k £ K. represents a transformation 
T k — T(k, •), which, by the definition of DES, permutes H. DES is endomorphic: its message 
space and ciphertext space are the same set. It is unknown if DES is faithful: does every key 
represent a distinct permutation? 

We shall use the following notations throughout the paper. Let M = \M\ = 2 U be the degree 
of DES; let K = \K\ = 2 56 be the size of the key space; and let T = \J{T k : k £ K} be the set of 
all DES transformations. In addition, for any transformation 2* £ T, let T^ 1 denote the inverse 
of 3V 

Let / be the identity permutation on M, and let A M and $ M be, respectively, the alternating 
group and symmetric group on X. 6 For any permutations g, h we denote the composition of g and 

h by gh = g o h = g[h(-)\. For any permutations 31,52 g n , let {gi,gi,. ■ ■ , g n ) denote the group 

generated by g lt j 2 , . . . , g„. Of course, for any n DES transformations 2\, T 2 , . . . , T n , it is true that 
{Ti} Q (2i,r 2 ) C (Tj.Tj, . . . ,T„) C (T). Since each round of DES is an even permutation, it is 
also true that (T) C Am . 

For any subgroup G C S M , for any x € X, the G-orbit of x is the set G-orbit(x) = {g{x) : g € 
G}. For any permutation g e Sm, may write j-orbitfx) to denote the (g)-orbit of x. If / is any 
function (not necessarily a permutation) and if x 6 Domain(/), we define the f -closure of x to be 
the set /-closure(x) = {P{x) : i > 0}. For any subgroup G C S. M , the order of G is the number 
of elements in G. For any g £ Sm, the order of g is the order of (g) . 

A cryptosystem is closed if and only if its set of encryption transformations is closed under 
functional composition, i.e. DES is closed if and only if for all keys i,j £ K there exists a key 
k £ K such that T,T, = TV 7 Since every finite cancellation semigroup is a group, DES is closed 
if and only if T forms a group under functional composition. 

6 See [Car56], [Rot78], or . Wie64] for a review of basic concepts in permutation group theory. 

7 Note that we are using the term closed cipher to refer to what Shannon called an idempotent cipker [Sha49]. 
Shannon defined a closed cipher to be any cryptosystem with the property that each cryptographic transformation 
is surjective. 



215 



Shannon's notion of a pure cipher generalizes the idea of closure to non-endomorphic cryp- 
tosystems [Sha49]. DES is pure if and only if, for every keys i,j,k € K, there exists a key I E K 
such that TjT^Xfc = T). 8 It is easy to see that DES is pure if and only if /or every To € T the 
set Tq 1 T is closed. Moreover, T 0 " 1 T is closed for every T 0 £ T if and only if Tq 1 T is closed for 
some To £ T. Every closed cryptosystem is pure, but not every endomorphic pure cryptosystem 
is closed. 

Finally, for any any string s e {0, 1}*, let s denote the bitwise complement of s. 

2.2 Previous Cycling Studies on DES 

To the best of our knowledge, the small subgroup question for two or more DES transformations 
had not been previously investigated in the open literature. A few researchers have, however, 
studied the pseudo-random key streams produced by DES in output-feedback mode [FIS80]. 
Whenever the feedback width is 64 bits, each such key stream describes the orbit of a DES 
transformation on some initial message. In a series of software experiments, Gait computed the 
key stream produced by DES in output-feedback mode to at most 10 6 ss 2 20 places. He found no 
cycles for nonweak keys [Gai.77]. Gait did not state what feedback width he used. Davies and 
Price [DaP82,DaP82a] and Jueneman [Jue82] studied mathematically the cycle structure of the 
key stream produced in output-feedback mode, but did not report performing any experiments 
on DES. Davies and Price did run a series of experiments on random permutations on {0,l} 8 
[DaP82a] . Finally, in a series of experiments, Hellman and Reyneri investigated the cycle structure 
of mappings induced by DES on the key space [HeR82], None of these studies answered the 
question, "Is DES pure?" 

2.3 Review of Cycling Closure Test 

The cycling closure test is a statistical test that explores one aspect of the algebraic structure of 
any finite, deterministic cryptosystem. It works by taking a pseudo-random walk in the message 
space for a specified number of steps or until a cycle is detected. For each step of the pseudo- 
random walk, the previous ciphertext is encrypted under a key chosen by a pseudo-random 
function of the previous ciphertext. Results of the test are asymmetrical: long walks are over- 
whelming evidence that the set of permutations is not a group; short walks are strong evidence 
that the set of permutations has a structure different from that expected from a set of randomly 
chosen permutations [KRS85]. 

When applied to DES and given an initial message i 0 > t ^e cycling closure test computes the 
V'p-closure of zo, where the function : X — + M is defined by t/^z) = T f [ x )(x) whenever x e M, 
and p : M — ► K is a deterministic pseudo-random function. If p is "random," then ipp acts like a 
random function on the (T)-orbit of x 0 . The expected length of the 0,,-closure computed by the 
test is about the square root of the length of the (T)-orbit of x 0 - 

When applied to a subset S C T of two or more DES transformations, the cycling closure test 
computes the (/^-closure of io, where p : M — ► H and H C K is a set of keys that represents S. 

If DES acts like a set of randomly chosen permutations, then we would expect (T}-orbit(i 0 ) = 
M, in which case we would expect It/^-closure^o)! >/M = 2 32 . However, if DES were closed, 
then |(T) -orbit(zo)! < K, in which case we would expect |^„-closure(x 0 )| < VK = 2 28 . 



Shannon also required each transformation of a pure cipher to be equally liiely. 



216 



The cycling closure test collects evidence which can be used to compute a measure of our 
relative degree of belief Ln the following two competing hypotheses: 

• H a = "DES is a group." 

• Hr = "Each DES transformation was chosen independently with uniform probability from 
the symmetric group on M .* 

Let E be the evidence that a trial of the cycling closure test ran for r steps without detecting a 
cycle. As explained in [KB.S85], this evidence can be interpreted by computing the conditional 
probabilities p G = P{E | Ha) and p R = P(E | H K ), where 

pa * and p R « e^ M . (1) 

In light of the evidence E, a Bayesian would update her initial odds in favor of Ha over Hr by a 
factor of pa/PR- 

2.4 Special-Purpose Hardware 

We carried out each experiment using special-purpose hardware which we had originally built to 
test DES for closure. The main feature of our hardware is that it can compute a sequence of 2 31 
DES encryptions per day, where at each step the previous ciphertext is encrypted under a key 
that depends on the previous ciphertext. Our hardware consists of a custom wire-wrap board 
that plugs into an IBM personal computer. The board contains one AMD Z8068 DES chip and a 
7.1 MHz finite state controller. By modifying the microcode of the board's finite-state controller, 
we adapted the board to carry out each of the five algebraic tests. (See [KRS85] for a more 
detailed description of our special-purpose hardware. 9 ) 

3 Cycling Experiments on DES 

This section briefly describes the four additional cycling tests that we performed on DES. We 
call these tests the purity test, orbit test, small subgroup test, closure test, and extended message 
space closure test. A sixth reduced message space test is also described. 

3.1 Purity Test 

Pick any transformation T 0 € T and apply the cycling closure test to the set r 0 _1 T. (See 
section 2.3 for a review of the cycling closure test.) 

3.2 Orbit Test 

Given any key k and any message z 0l compute z,- = TJ(r 0 ), t = 1,2,. . . for a specified number of 
steps or until a cycle is detected. 

The period of this sequence is the length of T t -orbit(i 0 ). In other words, if we consider the 
permutation 2* as a product of disjoint cycles, then the period of the sequence is simply the 

Schematic diagrams of our hardware will be included in a revised version of this paper, to be available from the 
authors some time in the future. 



217 



length of the cycle that contains Xo- If this test is run for r steps without detecting a cycle, then 
r is a lower bound on orderfT*) and hence on order({T}). 

For a randomly chosen permutation on X, for each 1 < I < M, the probability that x Q lies in 
a cycle of length exactly I is l/M [Har59,PuW68] ([Knu69], exercise 3.1.12). Hence, the expected 
cycle-length of the longest cycle of a randomly chosen permutation on n letters is about 0.624n 
[ShL66] (for DES, this is about 2 63 ). For a randomly chosen permutation on M, the chance that 
we fall into a cycle of length 2 36 or less is about 2~( 63_36 > = 2' 27 . 

Although we do not do so in this preliminary abstract, it is possible to interpret results of the 
orbit test to obtain statistical lower bounds on the order of the group generated by DES. Such 
analysis depends on the structure of the group. For example, the orbit test behaves differently 
on cyclic groups than on symmetric groups. Consequently, it is useful to combine the orbit test 
with other algebraic tests, including tests for faithfulness, commutativity, solvability at various 
levels, and nilpotence at various classes. 

3.3 Small Subgroup Test 

Given two distinct keys i,j € K and any message x 0 , apply the cycling closure test to the set 
{Ti,Tj} to obtain a statistical lower bound on the length of the (Ti,Tj}-orbit of io- 

In the orbit and small group tests, it would be interesting to examine both randomly chosen 
transformations and certain "special" transformations. For example, it would be interesting to 
explore weak keys, semi-weak keys, light keys (keys with a low density of ones), heavy keys (keys 
with a high density of ones), and pairs of related keys (e.g. keys that differ in one bit and keys 
that are complements of each other) . 

3.4 Extended Message Space Closure Tests 

For any experiment that uses the cycling closure test, perform the cycling closure test with an 
extended message space space that consists of the Cartesian product X 1 of the original message 
space, for some small integer I. 10 

The closure test works by computing a statistical lower bound on the length of (T) -orbit(xg), 
which, in turn, yields a lower bound on the order of (T). Limits on the lower bounds achievable 
by this test are imposed both by the number of steps the test is carried out and by the relative 
sizes of the message space and key space. For all 1 < r < VM, if the test is run for r steps 
without detecting a cycle, then with high probability order((T)) > r 2 . To use the cycling closure 
test to obtain statistical lower bounds on order((T}) greater than 2 6 *, it is necessary to perform 
an extended message test with i > 1. 

3.5 Reduced Message Space Tests 

Perform each of the above tests on a modified version of DES in which the message space is reduced 
in size. Specifically, consider DES-derived functions 4>k ■ -M r — ► .M r on the reduced message space 
M r — {0,l} r , where r is some small integer (say, r = 8) and <j> k is defined as follows. For each 
key k € K , define 4>k by <t>t = 7TjTjt^i, where 7Ti : M r — * M is an injection and x 2 : M — ► M r is a 
projection. (For example, might fix the first 56 DES input bits to 0, and x 2 might take only 
the last 8 DES output bits.) 

10 In the extended message space closure test, the pseudorandom function p maps M' into K. 



218 



No. 




Leader length 


Cycle length 


PC 


PR 


1 


1; [noil TA 


SM 2 25 


»2" 




> 0.17 


1 


Closure 




s*2 M 


< 10" 364 


> 0.09 


3 


Closure 


«2 31 


»2 M - 5 


< io- 41 


> 0.68 


4 


Extended closure 


(no cycle in 2 34 steps) 


< io- tta!i 


> 1 - 10~ 18 


5 


Purity 


« 2 31 ' 5 


SS2 30 


< 10 _el 


> 0.57 


6 


Purity 


«2 S0 


«2» 


< 10~ B4 


> 0.42 


7 


Small subgroup 


0 


RS 2 SS 


* 


< 1CT S 


8 


Orbit 


(no cycle in 2 3B steps) 


* 


> 1 - io- 8 



* Depends on hypothesized group structure. 



Table 1: Summary of DES experiments, May- August, 1985. (The numbers p<? and pr are the con- 
ditional probabilities of the experimental evidence under the hypotheses "DES is closed (pure)" 
and "Each DES transformation was drawn at random from the symmetric group on H" respec- 
tively.) 

Studying reduced message space versions of DES is useful for two reasons. First, it is one way 
to look for structures tliat may be present on subsets of the message space. Second, by sufficiently 
restricting the message space, it is possible to write down a complete description of the action of 
particular transformations on the reduced message space. 

4 Experimental Results and Conclusions 

This section summarizes our experimental results and discusses two interesting structural findings. 
4.1 Summary of Experimental Results 

During May to August 1985, we performed eight cycling experiments covering five different alge- 
braic tests. Specifically, we performed three closure tests, one extended message space closure test, 
two purity tests, one small subgroup test using two of the weak keys, and one orbit test. 11 These 
experiments gathered overwhelming statistical evidence that DES is neither pure nor closed and 
that the size of the group generated by DES is at least 2 m . Table 1 summarizes our experimental 
results. 

As one test of correctness, we ran a software implementation of the cycling closure test for 
30,000 steps. The software and hardware implementations agreed on all values. As a second test 
of correctness, we repeated experiments 1 and 2 and obtained identical results. We invite the 
interested reader to verify our results using the detailed experimental data found in appendix A. 

In experiment 7, we applied the small subgroup test to the transformations represented by 
the two weak keys that consist respectively of all zeros and all ones. Since each of the weak 
transformations is self inverse, we implemented this test as an orbit test using the composition 
of the weak transformations. This experiment produced a short cycle of about 2 33 steps, which 
would be unusual (probability less than 10~ 9 ) if the tested permutation were chosen at random 
from Sm- 



We also performed one trial of a reduced message space closure test that detected no algebraic weaknesses. 



219 




Figure 1: Results of experiments 1 and 2. Starting at different initial messages, both 
pseudo-random walks entered the same cycle. Every message on the cycle is the bitwise comple- 
ment of the corresponding message halfway around the cycle. 

4.2 Two Structural Findings 

Although most of our experimental results are consistent with the hypothesis that DES acts like 
a set of randomly chosen permutations, three experiments did yield interesting regularities. One 
regularity is a result of the well-known complementation property; 11 the other involves a newly 
discovered property of the weak keys. We will now explain these structural findings. 

4.2.1 Complementation and Drainage Properties 

In the first two experiments, we performed two independent trials of the cycling closure test. 
Each of these experiments used the "identity" next key function — the function p: M — ► K that 
removes each of the eight parity bits. These two experiments produced two interesting findings. 
First, each of the pseudo-random walks drained into the same cycle. Second, each point on the 
cycle was the bitwise complement of the corresponding point exactly halfway around the cycle. 
Figure 1 illustrates these findings. 

The first finding is explained by the fact that, for the graph of a randomly chosen function, 
most points on the graph will probably drain into the same cycle. See [HeR82] for one analysis 
of this phenomenon. 

The second finding is a consequence of DES's complementation property and the fact th at th e 
identity next key function also has a complementation property (for all messages z, = p(x)}. 
The cycling closure test computes a pseudo-random walk i 0 ,Xi,- . -, where x i+ i = T p ^{xi), for 
t > 1. If Xi — xj for any i > j, then it would follow that 

= T >{Zi) {xi) = t p(T]) (x-) = Tjjjpjix-) = r, (tj ., (xj) = sjrr . ( 2 ) 

Therefore, by induction, x i+K = x~~^ for all h > 0. This situation arises whenever some r< = Ty 
before any i,- = Xj with x > j , which will happen for about half of all initial messages. 



: For every key k and every message z, Tj,(x) = T^{x) [DaP84|. 



220 




0at 



Figure 2: Results of experiment 7. (Filled circles denote the messages x, on the Ti...iTo...o-orbit 
of an initial message x 0 . Unfilled circles denote intermediate values Xb...o(sy)- Dotted lines link 
identical messages.) 

4.2.2 Fbced Points of the Weak Keys 

In experiment 7, we computed the orbit of a message under the composition of the two weak keys 
that consist respectively of all zeros and all ones. Although each weak key is self-inverse, we did 
not expect the composition to produce short orbits. Much to our surprise, we detected a cycle of 
length less than 2 M . We presented this finding at the Crypto 85 conference and sought a simple 
explanation. 

After some thought, Don Coppersmith suggested that we had encountered fixed points of the 
weak keys, i.e., messages x for which Ti...i(x) = ior To ,.o(x) = x. Since each weak key yields 16 
identical round keys, for each weak key, a fixed point results whenever DES's L and R registers 
agree after eight rounds. Since the middle L and R registers are equal with probability about 
1/2 S3 , there should be about 2 3J fixed points for each of the four weak keys. Hence, by 2 M steps, 
it was likely that we had encountered a fixed point. Figure 2 illustrates the effect of the fixed 
points on the walk in the message space and explains why a cycle resulted. 

After the conference, we found the fixed points and thus confirmed Coppersmith's hypothesis 
(see appendix). To the best of our knowledge, these fixed points are the first published in the 
open literature. These fixed points further illustrate the deficiencies of the weak keys. 

Coppersmith also suggested that the algebraic structure detected in experiment 7 can be used 
to prove strong lower bounds on the size of the group generated by DES. Experiment 7 computed 
the length, /, of the ff-orbit of x 0 , where g = T 1 .iT 0 ...a is composition of two DES transformations 
and x Q is the initial message. Since / divides the order of g, it follows that / divides the order 
of the group generated by DES. Therefore, if experiment 7 were repeated r times with different 
initial messages, and if these experiments yielded orbit lengths . . . , l r , then Icm(/i,/2, . . . J T ) 
would be a lower bound on the order of the group generated by DES. We have not yet extended 
our results in this direction. 

Acknowledgments 

We would like to thank several people who contributed to this paper. Leon Roisenberg helped 
out with the design and construction of our special-purpose hardware. As part of his bachelor's 
thesis, John Hinsdale wrote the C software used by our host IBM personal computer to carry 
out the cycle-detection algorithm. We are also grateful to Laszl6 Babai, Don Coppersmith, and 
Gary Miller for helpful comments. In addition, we would like to thank the Functional Languages 
and Architectures Research Group of the MIT Laboratory for Computer Science for use of their 



221 



hardware laboratory during the construction and testing of our special-purpose hardware. 

References 

[Bet82] Beth, Thomas, ed., Cryptography, Proceedings of the Workshop on Cryptography, Burg 
Feuerstein, Germany, March S9-April 2, 1982, Springer (Berlin, 1983). 

[Bov80] Bovey, J. D., "An approximate probability distribution for the order of elements of 
the symmetric group," Bull. London Math Society, 12 (1980), 41-46. 

[BoW77] Bovey, John; and Alan Williamson, "The probability of generating the symmetric 
group," Bull. London Math Society, 10 (1978), 91-96. 

[Car56] Carmichael, Robert D., Introduction to the Theory of Groups of Finite Order, Dover 
(New York, 1956). 

[CRS82] Chaum, David; Ronald L. Rivest; and Alan T. Sherman, eds., Advances in Cryptology: 
Proceedings of Crypto 82, Plenum Press (New York, 1983). 

[DaP84] Davies, Donald W.; and W. L. Price, Security for Computer Networks: An Introduc- 
tion to Data Security in Teleprocessing and Electronic Funds Transfer, John Wiley 
(Chichester, England, 1984). 

[Dav82] Davies, Donald W., "Some regular properties of the DES," in [CRS82], 89-96. 

[DaP82j Davies, Donald W.; and G. I. P. Parkin, "The average size of the key stream in output 
feedback mode," in [CRS82], 97-98. 

[DaP82a] Davies, Donald W.; and G. I. P. Parkin, "The average size of the key stream in output 
feedback encipherment," in [Bet82], 263-279. 

[Dix69] Dixon, John D., "The probability of generating the symmetric group," Math Zentrum, 
110 (1969), 199-205. 

[FIPS77] "Data Encryption Standard," National Bureau of Standards, Federal Information Pro- 
cessing Standards Publications No. 46 (January 15, 1977). 

[FIS80] "DES modes of operations," Federal Information Standards Publication No. 81 (De- 
cember 1980). 

[Gai77j Gait, Jason, "A new nonlinear pseudorandom number generator," IEEE Transactions 
on Software Engineering, SE-3 (September 1977), 359-363. 

[Har59] Harris, Bernard, "Probability distributions related to random mappings," Annals of 
Math. Statistics, 31 (1959), 1045-1062. 

[Hel76] Hellman, Martin E., et al., "Results of an initial attempt to cryptanalyze the NBS Data 
Encryption Standard," technical report SEL 76-042, Information Systems Laboratory, 
Stanford Univ. (November 1976). 

[HeR82] Hellman, Martin E.; and Justin M. Reyneri, "Distribution of Drainage in the DES," 
in [CRS82] (1982), 129-131. 



222 



[Jue82] Jueneman, Robert R., "Analysis of certain aspects of output-feedback mode," in 
[CRS82] (1982), 99-127. 

[KRS851 Kaliski, Burton S., Jr.; Ronald L. Rivest; and Alan T. Sherman, "la the Data Encryp- 
tion Standard a Group?" Proceedings of Eurocrypt 85, Springer, to appear. 

[Knu69] Knuth, Donald E., Seminumerical Algorithms in The Art of Computer Programming, 
vol. 2, Addison-Wesley (1969). 

[MeH81] Merkle, Ralph C; and Martin E. Hellman, "On the security of multiple encryption," 
CACM, 24 (July 1981), 465-467. 

[MeM82] Meyer, Carl H.; and Stephen M. Matyas, Cryptology: A New Dimension in Computer 
Data Security, John Wiley (New York, 1982). 

[PuW68] Purdom, Paul W.; and J. H. Williams, "Cycle length in a random function," Trans- 
actions of the American Mathematics Society, 133 (1968), 547-551. 

[Rot78] Rotman, Joseph J., The Theory of Groups: An Introduction, Allyn and Bacon (Boston, 
1978). 

[Sha49] Shannon, Claude E., "Communication theory of secrecy systems," Bell System Tech- 
nical Journal, 28 (October 1949), 656-715. 

[SSY82] Sedgewick, Robert; Thomas G. Szymanski; and Andrew C. Yao, "The complexity of 
finding cycles in periodic functions," Siam Journal on Computing, 11 (1982), 376-390. 

[ShL66] Shepp, L. A.; and S. P. Lloyd, "Ordered cycle lengths in a random permutation," 
Transactions of the American Mathematics Society, (February 1966), 340-357. 

[Tuc78] Tuchman, W. L., talk presented at National Computer Conference, (June 1978). 

[Wie64] Wielandt, Helmut, Finite Permutation Groups, Academic Press (New York, 1964). 



223 



A Detailed Descriptions of Experiments 

This appendix presents nine tables that describe in detail the cycling experiments we carried 
out during summer 1985. The first table defines the pseudo-random next key function used 
in several of the experiments. The remaining eight tables — one for each experiment — list all 
relevant experimental parameters together with important checkpoints encountered during the 
experiments. 

A.l Notation 

In the body of the abstract, we defined the key space of DES to be the set K = {0, l} 56 . Most 
DES implementations, however, nominally treat each key as a string of 64 bits, where every eighth 
key bit is a parity bit which is ignored. In this appendix, we too shall specify keys and messages 
as 64-bit strings, described in hexadecimal notation. To do this, it is convenient to introduce the 
DES function T: K x M -+ M that operates on the nominal key space K = {0, l} 64 . 

A.2 Next Key Functions 

The cycling closure test depends on a function p: M. —* K to compute the next key from the 
current message. We will now describe the two particular next key functions that we used during 
our experiments. We will define each next key function in terms of its related function p: M. K. 

Each next key function operated in a byte-by-byte fashion using a byte substitution table 
(1 byte = 8 bits). For any 0 < i < 7 and any x e M, let x (,) denote the t' th byte of x. For each 
0 < i < 7, we computed = S(xW), for some byte substitution table S:{0,1} 8 -+ {0,1} S . 

In experiments 1 and 2, we chose 5 to be the identity function. In the other cycling closure 
experiments, we used the byte substitution table given by table 2. ls This table was designed so 
that each entry has odd parity and such that each entry appears exactly twice. The table was 
generated using the random number generator in the C library on our IBM PC. 

For the experiments that used the extended message space M 2 , we computed p{x)^ = 5(x' 2 '') 
using the substitution table given in table 2. 

A. 3 Selection of Experimental Parameters 

We chose initial messages and keys in a variety of ad hoc ways. Some we selected in an obviously 
deterministic manner (e.g., x 0 = 0123456789ABCDEF). Others are related to the authors' social 
security numbers or other personal data. The rest we generated using DES and MACSYMA. 

A.4 Detailed Experimental Results 

Tables 3-10 list the detailed results of our cycling experiments. 



13 The substitution table is used as follows. To substitute any byte B, consider the representation of B as two 
hexadecimal digits. Select the table entry whose row is given by the first digit and whose column is given by the 
second digit. 



224 





0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


A 


B 


C 


D 1 E 


F 


00 


3E 


46 


B6 


26 


AE 


F8 


2A 


AE 


CE 


57 


E6 


93 


07 


5D 


92 


2C 


10 


FE 


58 


EF 


CD 


F7 


76 


2F 


91 


8F 


2F 


OE 


DO 


07 


BO 


73 


51 


20 


20 


5E 


76 


B3 


86 


9D 


16 


01 


31 


EF 


D3 


8F 


D6 


40 


2A 


F8 


30 


01 


C7 


C7 


19 


F7 


31 


A2 


62 


9E 


B9 


DA 


D9 


34 


85 


19 


D9 


40 


61 


A8 


3D 


BO 


OE 


79 


C2 


BC 


52 


04 


37 


FD 


6E 


85 


FB 


BA 


50 


DF 


C8 


6D 


13 


43 


1C 


OB 


4A 


89 


83 


E3 


20 


4F 


A7 


BA 


3B 


60 


80 


DO 


67 


EA 


7F 


A8 


C8 


43 


79 


6D 


1A 


4C 


A7 


CB 


86 


23 


70 


5B 


02 


C2 


4C 


58 


38 


FE 


CE 


B9 


1C 


15 


A4 


25 


29 


1A 


15 


80 


CI 


98 


7F 


4A 


64 


57 


97 


32 


26 


F2 


E5 


91 


D6 


E9 


6B 


F4 


90 


4F 


80 


67 


DF 


Fl 


BF 


B3 


B5 


3E 


E5 


7A 


EC 


Al 


B5 


92 


29 


AO 


10 


DC 


97 


46 


94 


CB 


49 


6B 


10 


45 


3B 


F2 


E6 


FD 


B6 


BC 


BO 


40 


OD 


IF 


AD 


52 


BF 


62 


23 


61 


49 


EO 


OD 


08 


CD 


E3 


C4 


CO 


68 


IF 


9E 


E9 


FB 


7C 


13 


75 


8A 


89 04 


5D 


6E 


DC 


54 


D5 


DO 


EA 


Fl 


9D 


F4 


94 


75 


D3 


70 


8C 


54 ! AB 


2C 


D5 


02 


98 


7A 


EO 


3D 


5B 


25 


8A 


Al 


38 


8C 


EC 


70 


9B 


A4 


45 


64 


51 


AB 


7C 


FO 


CI 


AD 


34 


C4 


EO 


A2 


68 


83 


16 


08 


DA 


32 


73 


37 


OB 


5E 



Table 2: Byte substitution table for pseudorandom next key function. 



Experiment 1 






• 




JVote 


0 


0123456789ABCDEF 




34,293,588 


B0FDED3BD0DD918C 


end of leader 


34,293,589 


AE5530A0E971B5E8 


start of cycle 


2,030,556,568 


12B67D3796106D30 


quarter cycle 


4,026,819,547 


51AACF5F168E4A17 


half cycle 


6,023,082,526 


ED4982C869EF92CF 


tiree-quarters cycle 


8,019,345,504 


A032CE0D3F436EFE 


end of cycle 


8,019,345,505 


AE5530A0E971B5E8 


restart of cycle 



Table 3: Closure experiment with identity next key function. Cycle length 7,985,051,916 
leader length 34,293,589 « 2 25 . 



Experiment 2 




= t Xi (Xi) 


i 




Note 


0 


121502850B020664 




1,389,523,413 


48BB5C9F85CD285A 


end of leader 


1,389,523,414 


AFF50E97653421BF 


start of cycle 


5,152,082,299 


AE5530AOE971B5E8 


experiment 1 intersection 


9,374,575,329 


FB0A1398E92D1473 


end of cycle 


9,374,575,330 


AFF50E97663421BF 


restart of cycle 



Table 4: Closure experiment with identity next key function. Cycle length 7,985,051,916 
leader length 1,389,523,414 as 2 30 . 



225 



Experiment 3 






i 




Note 


0 


6036222982B03104 




2,138,241,978 


68955F4BF000A6E0 


end of leader 


2,138,241,979 


C9DB8E7169CCF272 


start of cycle 


3,706,679,992 


433B74E2CB18DDFD 


end of cycle 


3,706,679,993 


C9DB8E7169CCF272 


restart of cycle 



Table 5: Closure experiment with pseudo-random next key function. Cycle length 
1,568,438,014 w 2 30 5 ; leader length 2,138,241,979 « 2 31 . 



Experiment 4 




i 




Note 


0 


4C957F303AC4D08B 63E15C9C7A398042 




4,294,967,296 


2C173869EAF8804B 767469BB19B26D8A 


2 32 iterations 


8,589,934,592 


4349368A49700D3B 5SFC02F8848BC84F 


2 33 iterations 


12,884,901,888 


55D1292F5D99B268 C3OAB80FF3BO3D08 


3 • 2 32 iterations 


17,179,869,184 


4A224C65B8A48DEB 0OC7D0CA64C4B24O 


2 34 iterations 



Table 6: Extended closure experiment with pseudo-random next key function. No cycle detected 
in 2 34 steps. 



Experiment 5 Xi+\ — 7\ 1 T^ Sf j(x 1 ) 


t 




Note 




0123456789 ABCDEF 




3,233,340,362 


0EC45F7157BD8749 


end of leader 


3,233,340,363 


EFE7B7112233DD88 


start of cycle 


4,531,729,424 


C09DFA478C3849BE 


end of cycle 


4,531,729,425 


EFE7B7112233DD88 


restart of cycle 



Table 7: Purity experiment with pseudo-random next key function. Cycle length 
1,298,389,062 « 2 30 ; leader length 3,233,340,363 « 2 315 . Key k = 97778E1BC3FD8E07. 



226 



Experiment 6 x i+1 = t, 1 t-^(xi) 


i 


«i 


Note 


0 


121502850B020664 




1,366,287,307 


E43D6EF9361DDB4A 


end of leader 


1,366,287,308 


75C6C23C21EA50DA 


start of cvcfe 


5,584,675,814 


FDBE1ECDF38BF3E5 


end of cycle 


5,585,675,815 


75C6C23C21EA50DA 


restart of cycle 



Table 8: Purity experiments with pseudo-random next key function. Cycle length 
4,218,388,507 ss 2 32 ; leader length 1,366,287,308 ss 2 30 . Key k = 4D3FD0FED9A4FA9B. 



Experiment 7 




t 




A'ote 


0 


0123456789ABCDEF 


start of cycle 


2,227,161,945 


664B672D3DBC73AB 


0 ... 0 fixed point 


4,454,323,890 


293FD4F2C13DD94F 


"hidden crossing" 


5,890,012,565 


3CC5B0eADEFD30AO 


1 ... 1 fixed point 


7,325,701,239 


0123456789ABCDEF 


restart of cycle 



Table 9: Small subgroup experiment using weak keys. Cycle length 7,325,701,239 « 2 3S ; leader 
length 0. 





I | Zj jVote 








17,179,869,184 


B98C3A67CD6F8267 


2 34 iterations 


34,359,738,368 


632509BC9F57DF8A 


2 35 iterations 


51,539,607,552 


ED4B06ABBF5515FB 


3 • 2 34 iterations 


68,719,476,736 


2C84263510AEAD34 


2 36 iterations 



Table 10: Orbit experiment. No cycle detected in 2 35 steps. Key k = 116E0B827SAEC431. 



A LAYERED APPROACH TO THE DESIGN OP PRIVATE KEY CRYPTOSYSTEMS 



T. E. Moore and S. E. Tavares 
Department of Electrical Engineering 
Queen's University 
Kingston, Ontario, Canada. K7L 3N6 

ABSTRACT 

This paper presents a layered approach to the design of private key 
cryptographic algorithms based on a few strategically chosen layers. 
Each layer is a conceptually simple invertible transformation that may 
he weak in isolation, hut makes a necessary contribution to the 
security of the algorithm. This is in contrast to algorithms such as 
DES which utilize many layers and depend or S-boxes that have no 
simple mathematical interpretation. A property called transparency is 
introduced to deal with the interaction of layers and how they must be 
selected to eliminate system weaknesses. 

Utilizing this layered approach, a private key cryptographic algorithm 
consisting of three layers is constructed to demonstrate the design 
criteria. The algorithm has an adequate key space and valid keys can 
be easily generated. The design is based on a symmetrical layered 
configuration, which allows encryption and decryption to be performed 
using the same algorithm. The algorithm is suitable for VIS I imple- 
mentation. Some statistical tests are applied to the algorithm in 
order that its cryptographic performance can be evaluated. The test 
results and attempts at cryptanalysis suggest that the three-layered 
algorithm is secure. 

1 . HISTORY OP LAYERING 

The concept of layering cryptographic transformations to produce 
stronger ones was first suggested by Shannon [14] using substitution 
and permutation operations as layers. This idea was introduced in 
1949 as product ciphers, which made it possible to generate strong 
cryptosystems by concatenating weak transformations. The 'lucifer' 
cipher, developed at IBM by Feistel [6] ecbodies this approach by 
alternately applying substitutions and permutations. 

A well-known example of an existing private key cryptographic algor- 
ithm is the Data Encryption Standard (DES) [?]. The DES algorithm 
consists of many layers exemplifying the strength of a layering tech- 
nique. Although DES has been adopted as an encryption standard, it 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 227-245, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



228 



has been subjected to a great deal of criticism and suspicion [4, 7]. 
Some features of DES, such as the design of the S-boxes for example, 
are not well understood and instead of trusting in a system which is 
difficult to analyze, a user may choose a simpler system that can be 
understood. 

layered encryption has also been explored in the broadcast environment 
by Spencer and Tavares [15]« Only a few layers were employed in this 
particular application, each of an arithmetic nature. This is in 
contrast to layers such as those used in the DEE algorithm. 

2. OVERVIEW OP LAYERING 

In order that the concepts of layered encryption systems can be 
examined, the basic characteristics of conventional systems are 
stated. The components necessary in all cryptographic systems are a 
plaintext space P, ciphertext space C, key space K, a set of 
enciphering transformations E, and a corresponding set of deciphering 
transformations D. 

Unlike conventional systems, a layered cryptosystem has several con- 
catenated enciphering transformations for encryption and the same 
number of deciphering transformations concatenated together for 
decryption. An m-layered cryptosystem is composed of a plaintext 

space P, ciphertext space C, a set of m key spaces K , m sets 

of enciphering transformations E 1 , . . . , E^, and c corresponding sets of 

deciphering transformations D . Schematic diagrams of these 

two types of cryptosystems are given for comparison in Figure 1 . 

There are three basic assumptions important tc the functionality of 
layered cryptosystems . The first is that the set of individual layer 
keys k,| , . . . , k^ used for encryption are kept secret from unauthorized 
users. Secondly, each layer is a simple ir.vertible transformation 
which may be weak crypt ographi cally in isolation, but makes a 
necessary contribution to the security of the entire system. lastly, 
the interlayer results of the enciphering and deciphering transforma- 
tions are not accessible to unauthorized users. All discussions 
dealing with layered encryption in this paper apply only to private 
key cryptosystems. 

It is important here to clarify that any layer by itself is not 
secure, given access to its input and output values. nothing is 
gained by layering if interlayer results are ar. allowable resource to 
a cryptanalyst . It is a reasonable assumption to consider the inter- 



229 







C 














K X 
(a) Cryptographic Systran 



T T 



(b) M-Layered Cryptographic Systea 



FIGURE 1: Comparison of Conventional and Layered Cryptosystems. 



layer results as unattainable resources. Unlike plaintext and 
ciphertext, interlayer values are only transient results which are 
never stored or accessed at any time by legitimate users of the 
system. The only manner in which they mar be obtained is if an in- 
truder can tap and monitor the hardware between the layers. Physical 
security can always be employed if monitoring is a possible threat. 
The remainder of this discussion assumes that interlayer results are 
never accessible and are adequately protected. 

J. THE LAYERED APPROACE 

3.1 Layer Selection Criteria 

By adopting a few strategically chosen layers, a layered approach can 
be utilized to design private key cryptosystems. Before a mathemati- 
cal transformation may be classified as a layer, it must conform to 
the following specifications: 

a) a layer must be well defined in a nathematical sense while 
remaining simple in concept 



230 



and 



b) it must have an adequate key space with easily generated keys 
and inverse keys 

c) be efficient in terms of time and space 

d) be easy to program for software simulation and implementation 
0 be suitable for VLSI design and implementation. 



It is plausible that if each individual layer in a layered erypto- 
system meets these requirements, them the synthesized layered 
algorithm will conform to them as well. 

3.2 Layer Interaction and Transparency 

With the layer selection criteria established, it becomes necessary to 
develop additional guidelines for concatenation of layers. An 
important consideration in concatenating layers to synthesize a 
complete algorithm is the problem of layer interaction. There is an 
obvious disadvantage to concatenate two layers which can each be 
compromised on an individual basis by the same attack. 

A concept is introduced here which helps to deal with layer inter- 
action and is defined as layer transparency. To define transparency, 
consider the transformation r [ ] of Figure 2 which maps X into I, 
where X and Y are n-bit vectors. let g(X) be the result of a simple 
operation g(') on the input X. If g(X) is capped to h(Y) by r [ ] , 
where h(*) is also a simple operation, then it is said that r [ ] is 
transparent to g(')> and that g(-) is a transparency of r [ ]. In 
this discussion, is should be noted that g( •) and h(>) may be the sane 
operation. As an example, g(X) could be a cyclic shift of X by one 
bit and h(T) a cyclic shift of Y by t bits, where 1 <_ t <_ n-1 . If 
t = 1, then the two operations g(0 and h(-) would be identical. 

As a general rule, two adjacent layers in a layered cryptographic 

algorithm should not have common transparencies. In addition, it is 

desirable that all layers in a cryptosysten do not share many of the 
same transparencies. 

3-3 Buffers 

The problem of selecting various useful transformations that strictly 
follow the two transparency rules may not be simple. What is required 
are simple operations to isolate the main layer transformations. As 
an example, two nearly compatible transformations may be suitable as 
adjacent layers except for a single common transparency. If a simple 
operation can be found that does not preserve this common transpar- 
ency, then it can be inserted between the two layers. The resultant 



231 





r[ J 






>- 



s(x) 



r[ ] 



h(Y) 



r[ ] - invertible transformation 

X - n-bit input vector 

Y - n-bit output vector 

g("), h( - ) - simple operations 



FIGURE 2: Illustration of Transparency. 



new transformation of a simple layer sandwiched between two main 
layers is no longer hampered by the transparency. The simple opera- 
tions in question are defined as 'buffers', and for simplicity they 
can be considered as another layer in the layered oryptosystem . 
However, buffers differ from the main layers in that they do not 
possess a key space. 

There are two types of buffers defined by their position relative to 
the main transformations. The first type are positioned before the 
first and after the last layers. This buffer type is defined as an 
'outer buffer'. In a oryptosystem of only a few layers, it is 
critical that a oryptanalyst not be allowed to probe the outer layers 
using strategically selected inputs. Knowledge of the transparencies 
of the first layer for example, can be utilized in such a manner as to 
derive the result of this transformation without actual knowledge of 
its key. Hence, for the given strategic input, the first layer is 
effectively by-passed leaving a weakened algorithm to compromise. 

It is realized that a constant operation is not suitable for an cuter 
buffer. Since we assume that every feature of the cryptographic 
algorithm will be public knowledge, except for the key of course, a 
cryptanalyst can derive the result of any constant operation and have 
direct access to the outer layers as before. It is thus necessary 
that outer buffers be computed from key-dependent operations so that 



232 



the result of a given buffer operation cannot be determined without 
■knowledge of the keys- For a given key set, this may be accomplished 
by computing the buffers from a single one-way function of the layer 
keys. Hence, actual inputs to the first main layer cannot be derived, 
preventing effective chosen-plaintext attacks. 

The second type of buffers are positioned between two main layers. 
These buffers are defined as 'interlayer buffers' and their purpose is 
to prevent the preservation of transparencies that exist in common 
with two adjacent main transformations. 

In contrast to an outer buffer, the input to any interlayer buffer is 
never directly accessible, making it unnecessary for interlayer 
buffers to be key-dependent operations. Further, it is preferable if 
the interlayer buffers are key-independent operations as they would 
not require any pr e-computat i on for a given key set. 

3.4 Additional Considerations 

In a system where all main layers and buffers are linear, the system 
transformation may be represented equivalently by a simplified linear 
operation. An attack based on the principle of superposition can be 
utilized to compromise a linear cryptosystem. It is thus necessary to 
ensure that the overall system transformation for the layered 
algorithm is nonlinear. This can be accomplished by selecting one of 
the main layers as a nonlinear transformation. 

A second consideration when dealing with layer concatenation is sym- 
metry. Carefully selecting the layers in a symmetrical configuration 
will allow the encryption and decryption functions to be performed 
using the same algorithm. A schematic diagram of a symmetrical 
layered configuration is given in Figure 3. For this 3-layered 
example illustrated in the figure, the essential nonlinear transforma- 
tion can be either Layer A or Layer B. 

In order to facilitate the symmetry in Figure several conditions 

must be satisfied. First the two outside layers must be selected as 
identical transformations. In practice, different keys would be used 
for these two layers to keep the system key space as large as pos- 
sible. The next requirement for total symmetry is that the two outer 
buffers must be identical operations. The interlayer buffers must 
also meet this requirement. The relative positions of these buffers 
are clearly illustrated in Figure J. The last requirement is that the 
outer buffers must be their own inverse operations. The interlayer 
buffers must also fulfill this requirement. 



233 



ENCRYPTION 




DECRYPTION 

P - plaintext O.B. - Outer Buffer 

C - ciphertext I.B. - Interlayer Buffer 

K = (K , 1C, K ' f{K} - one-way function 
A l 13 A 2 
= encryption key set 




= decryption key set 



FIGURE 3: Symmetrical Layered Configuration. 



With these conditions included in a symmetrical layered configuration, 

total algorithm symmetry is obtained. As shown in Figure 3, if the 

er.crvption key set is [K, , , K. !, then the corresponding decryp- 

"1 A 2 

tion key set is (K, -1 , Kl 1 , K. -1 ?. In this notation, K. _1 represents 
A 2 3 A 1 • 1 

the mathematical inverse (decryption key) of X, for the transforma- 

" '1 

tion of layer A. A benefit resulting from designing a symmetrical 
algorithm is the reduction in the amount of chip area needed to incor- 
porate both encryption and decryption in a single chip YLSI implemen- 
tation. 

3-5 Summary of Approach 

The important concepts pertinent to the layered design approach of 
cryptographic algorithms were presented. Selection criteria for 
transformations were established and the concept of transparency was 
introduced to rescive the problem of layered interaction. System 



234 



transparencies can be eliminated "by carefully selecting transforma- 
tions with specified properties', and by utilizing specially designed 
buffers. The presence of at least one nonlinear operation is essen- 
tial to the security of the algorithm. The essential nonlinearity can 
be accommodated by selecting a nonlinear transformation as one of the 
layers. A symmetrical layered configuration has. several advantages, 
but is not necessary for constructing a secure system. By selecting 
certain transformations and concatenating them using the established 
criteria in this section, it may be possible to synthesize a secure 
cryptosystem. 

4. DESIGN OP A LAYERED CRYPTOGRAPHIC ALGORITHM 

Before presenting the following discussion, it is important to clarify 
that the algorithm given here is not intended to represent an un- 
breakable cryptosystem . It is simply giver, here in order to illust- 
rate the structured approach to designing cryptographic algorithms 
given in the previous section. 

Utilizing the layered approach given in Section 3, a private key 
cryptographic algorithm has been designed using the exact configura- 
ion given in Figure 3. The Layer A transformations have been selected 
as linear transformations and layer £ as the essential nonlinear 
transformations . 

4.1 Nonlinear Layer 

There are a number of nonlinear transformations that have been used in 
cryptographic applications. For reasons of dependability and reputa- 
tion as a strong algorithm, the RSA algorithm [13] was examined for 
possible foundations for a nonlinear transformation. On that basis, 
modular exponentiation was chosen to represent the nonlinear layer. A 
modulus of 2 n -1 , for n-bit block encryption, was chosen as an 
appropriate modulus for this transformation. In this discussion, n is 
a power of 2, for reasons which will becone evident. There are two 
reasons for choosing this particular modulus. First, the integer 2 n -1 
is a product of r distinct prime numbers (at least as far as n = 64) • 
This is an extension of the two prime case used with the RSA modulus. 
The second reason is an implementation feature of 2 n -1 in that actual 
division is not required to perform modulo reduction by 2 n -1 . This 
will become clear in Section 5 where implementation considerations are 
discussed . 

To summarize, the following nonlinear transformation is used as Layer 



235 



B in the symmetrical layered configuration of Figure 3- 
Y = 2 n -l . 



where 



and 



K B n 
X mod2 -1 , otherwise. 



X is the n-bit input 
Y is the n-t>it output 
Kg is the key for layer 



2 m 



n ^ 
Ordinarily C and 2 -1 are equivalent modulo 2'"-1 , and hence "both of 

these inputs would produce an all zero binary output. The conditional 

equality in the above definition is necessary to resolve this 

situation. 

_ 1 

In order that we may decrypt correctly, an inverse Kg must exist such 
that 

X B B mod2 n -1 = X. 

This relation can "be satisfied for any modulus that is a product of r 
distinct primes, if the following relationship is true [2] 

K 3 * K B _1 = 1 mod$(2 n -1 ) 

where ♦(•) is the Suler totient function. The above relation reduces 
to the property that K-g must be chosen relatively prime to <t>(2 n -l). 

Blakley and Borosh [2] recognized that transformations of this type 
always have a certain number of inputs that are mapped to themselves, 
defined as unconcealed inputs. For this particular transformation, 
this phenomenon may be represented mathematically as 

X D mod2 n -i = X. 

To minimize the number of unconcealed inputs, it is required that Kg 
be chosen under the following additional constraint: 

GCD[K B -1 , LCM' Pl -1 , . . . , p r -1 )] = 2 

where GCD is the Greatest Common Divisor 

LCM is the Least Common Multiple 
and (p,j , . . . , p^} are the r unique prime factors of 2 n -1 . 



236 



For exponentiation mod2 -1 , the actual minimum number of unconcealed 
inputs is 3 r +1 • This minimum number can only be achieved if Kg 
satisfies the above relation. For a block length of n = 64, there are 
a minimum of 2188 unconcealed inputs since 2^-1 is a product of 7 
distinct prime numbers. The number of key bits generated by exponen- 
tiation modulo 2 n -1 , with n = 64, is estimated to be 29- 

4.2 Linear Layers 

By concatenating a simple linear transf ornation processing specified 
properties with a nonlinear layer, it is plausible that a stronger 
transformation will result frcm the concatenation. A particular 
family of linear transformations used in cryptographic applications is 
modular multiplication. These transformations have been studied 
previously by Leung and Tavares [12] for modulus values of 2 n and 
2 n -1 . Multiplication modulo 2 n -1 is a fundamental transformation in a 
cryptographic algorithm proposed by Akl and Meijer [l]. 

Multiplication modulo 2 n was chosen over 2 n -1 for two reasons. First, 
this modulus is different from the modulus of the nonlinear exponen- 
tiation transformation. If each layer was some operation modulo 2 n -1 , 
and ignoring the effect of any interlayer buffers, then it is possible 
to simplify the overall mathematical representation of the J-layered 
concatenation by applying the principles of modular arithmetic [5]. 

The second reason is that multiplication modulo 2 n is not transparent 
to complements, whereas multiplication mod2 n -1 is transparent to this 
complement operation. To further clarify this operation, a bit-wise 
complement of any input produces a bit-wise complement of its corres- 
ponding output. It can be shown that both multiplication and 
exponentiation mod2 "-1 are transparent to complements. Thus selecting 
multiplication mod2 n -1 would tend to violate the layer interaction 
criteria established in Section 3-2. Proof of the complement trans- 
parency ror exponentiation mod2 "-1 is given in Appendix A. 

In summary, the linear transformations indicated by Layer A in Figure 
3 may be represented analytically as: 

Y = X * K, mod 2 n 
A 

where X is the n-bit input 

Y is the n-bit output 
and is the key for layer A. 

In order to estimate the size of the key space for this transform- 
ation, the number of keys K". that allow X to be recovered from Y must 



237 



be known. From elementary number theory, X has a unique inverse mod 
2 n if the integers and 2 n are relatively prime. The numter of 

integers relatively prime to 2 n is +(2 n ) = 2 n 1 . Hence for n = 64, 
there are 2 keys that will allow successful decryption. Since 

the GCD (K^, 2 n ) must equal 1 , the K A must 'be an odd integer and thus 
valid 64-bit keys may be selected by simply setting the least signifi- 
cant bit of K A to binary one. 

4.3 Common Transparencies and Buffer Selection 

"he design of the buffers depends on the common transparencies that 
exist between the main transformations of the algorithm. The 

following is a summary of the known transparencies and weaknesses that 

n n 
are common to exponentiation mod 2' -1 and multiplication mod 2 . 

i) The all-binary zero input maps to itself in both transformations. 

ii) Both transformations are transparent to shifting; although 
multiplication is transparent to logical shifts, and 
exponentiation is transparent tc a variation of cyclic shifts. 

iii) Multiplication is preserved under modular exponentiation and 
modular multiplication. 

The transparencies and weaknesses above can be easily verified for 
each transformation. 

Recall that the purpose of outer buffers is to inhibit an intruder 
from launching chosen-plaintext attacks. Outer buffers must also be 
key-dependent operation. For simplicity and ease of implementation, 
the exclusive - OR addition of a key-dependent n-bit sequence V is 
suitable for the outer buffers. To determine a particular value of V 
for a given key set, it is necessary that V be derived from a one-way 
function of the three keys. Therefore, the sequence V cannot be 
computed unless the three layer keys are known. Exclusive - OH 
addition is also its own inverse operation and thus satisfies the 
conditions needed to maintain the symmetrical layered configuration 
depicted in Figure J. By coincidence, this buffer operation also 
eliminates the zero input mapping to itself. 

The second and third common transparencies listed at the beginning of 
this section are left to be resolved by the interlayer buffers. It 
should be pointed cut that the third transparency is true only when 
the product of the inputs in question is less than 2 n . If the product 
is greater than this value, then multiplication is not preserved 
through the concatenation of the three layers. This result stems from 
the fact that two different modulus values are used in the transforma- 



238 



tions . 

An n-bit permutation o is a suitable interlayer buffer under the 
following constraints: 

i) p does not preserve shifts 
ii) p does not preserve multiplication 
and iii) p is its own inverse operation 

The first two constraints rectify the second and third common trans- 
parencies and the last constraint is necessary to satisfy the 
symmetrical layered configuration conditions. 

4.4 Summary of 3-Layered Algorithm 

A block diagram summary of the 3-layered cryptographic algorithm is 
shown in Figure 4. The layers indicated by Layer A in Figure 3 are 
multiplication modulo 2 n transformations, and Layer B is the nonlinear 
exponentiation modulo 2 n -1 transformation. To easily distinguish 
between the two multiplication layers, a notation change from letters 
to numbers is done. The layers are labelled as 1 , 2 and 3 going from 
left to right in Figure 4. The outer and interlayer buffers shown in 
the figure are as defined in Section 4.3- 

If we let T(-) represent the overall transformation depicted in Figure 
4, then the encryption operation nay be represented as 

C = T K (P) 

where P is the plaintext 

C is the ciphertext 
and K = {K^ , , } is the encryption key set. Since the algorithm 
is symmetrical, the decryption operation cay also be represented in 
terms of the same transformation as 

P = T (C) 
K 

where K~ 1 = { K^ _1 , K 2 _1 , ~ ' | is the decryption key set. Thus, the 
distinguishing feature between encryption ar.d decryption with this 
algorithm is the key set used in each case. The decryption keys are 
related to their encryption key counterparts by the following 
equations: 



i) 


K 1 


* v 1 

" 1 


mod 


2 n = 


ii) 


K 2 


* K 2 ~ 1 


mod 


(2 n - 


iii) 


K 3 




mod 


2 n = 



239 



Calculating the integer values of each decryption key can thus be 
accomplished by using Euclid's algorithm [9]- 



V{K} 



V{K} 









MULT 
Mod 2 n 


'-< 





EXP 
Mod 2 n -1 









MULT 
Mod 2 n 


< 







P: n-bit plaintext 

C: n-bit ciphertext 

^1' ^2* ^3* user selected keys for layers 1, 2, 3 

K: {K L , K 2 , K 3 ) 

V: n-bit sequence derived from a one-uay function of the keys 

P: interlayer buffer operation 

bit-wise exclusive-OR operation 



FIGURE 4: Block Diagram of the 3-Layered Cryptographic Algorithm. 



5. IMPLEMENTATION CONSIDERATIONS 

The discussion included in this section is intended to illustrate the 
relatively simple algorithms that are needed to implement the main 
transformations in the algorithm of Figure 4. The primary considera- 
tion of the design criteria was to facilitate a VLSI (very large scale 
integration) application. Pseudo-code algorithms suitable for VLSI 
implementation of the main transformations are contained in Appendix 
E. Simple shift-registers and adders are the primary components 
necessary to implement these algorithms. 

The first pseudo-code algorithm given in Appendix B is for modular 
exponentiation. It uses repeated squaring and multiplication to 
implement exponentiation. The algorithm scans the bits of the binary 
representation of the exponent, starting with the least significant 
bit. For each bit of the exponent, a squaring operation is performed 
if the bit is a binary zero, squaring followed by multiplication if 
the current exponent bit is a binary one. All squaring and multipli- 



240 



cation operations are reduced modulo 2 -1 , and can "be implemented 
using the second algorithm given in Appendix P. 

The second and third algorithms of Appendix 2 are for multiplication 
modulo 2 n -1 and 2 n respectively. Both utilize "shifting and adding" 
techniques to implement multiplication. These algorithms are effici- 
ent since actual division is not performed when modulo reducing by 
either 2 n or 2 n -1 . 

For a modulus of 2 n , all overflow bits resulting from the repeated 
addition operations are simply truncated in order to modulo reduce. 
The overflow bits represent integer multiples of 2 n , and hence 
truncating these hits is equivalent to dividing by 2 n . For 2 n -1 , the 
overflow hits are not truncated, but are cyclicly shifted and added to 
the least significant bit of the result. This is equivalent to sub- 
tracting a value of 2 n -1 . 

To implement the outer buffer operations in VIST, n two-input 
exclusive - OR gates in parallel can he usee for each buffer. Since 
interlayer buffers can be selected as constant permutations, they can 
be hard-wired in a VLSI implementation. 

6 . PERFORMANCE 

Since the 3-layered algorithm cannot be proven secure, we must rely on 
certain tests and analyses to provide confidence in the algorithm. A 
few statistical tests have been applied tc the algorithm in order to 
evaluate its cryptographic performance. The tests listed below were 
used in the evaluation: 

i) Plaintext /ciphertext Complexity Test 
ii) Avalanche Complexity Test 
iii) Bit Distribution Test 
iv) Cycle Test 

The above tests were performed on a 32-bit software implementation of 
the algorithm. Using a VAX 11/750 computing facility, assembly 
language routines were written to simulate each layer. 

The first two tests listed above depend on the concept of complexity. 
The complexity criterion [12] was used extensively for performing 
these statistical tests, and a measure of complexity developed by 
lempel and Ziv [ll] was used to evaluate the randomness properties of 
the algorithm. In general, the difference between any plaintext and 
its corresponding ciphertext should have high complexity with a high 
probability [12], This complexity is referred to as plaintext/ 



241 



ciphertext complexity and is measured using the first test. In 
addition, the difference between two ciphertexts whose corresponding 
plaintexts differ by a predetermined bit must also have this high 
complexity. Horst Feistel [6] termed this property the Avananche 
Effect, and it is measured using the avalanche complexity test. 

An additional test is a hit distribution test which simply counts the 
number of binary ones (or zeros) in the two variations of difference 
sequences mentioned above. Over a large sample of randomly selected 
plaintext, the resulting bit distribution should resemble the binomial 
distribution if the differences are indeed random. 

The last test that was applied to the algorithm is a cycle test [10]. 
The purpose of this particular test is to determine if the set of 
permutations for the overall algorithm transformation is closed under 
functional composition. If the transformation is closed, then the set 
of transformations may generate a small group and hence contain a 
weakness that is vulnerable to a known-plaintext attack [8]. The 
cycle test that was implemented examines the orbits of plaintext 
messages under fixed keys which are produced by the algorithm in 
output-feedback node. Although this is not the cost efficient closure 
test [8], it was felt that this particular version of the test was the 
simplest and best suited for the available resources. 

The results of the first three statistical tests listed at the begin- 
ning of this section indicate that the 3-layered algorithm performs 
well cryptographically . It appears that the algorithm in fact pos- 
sesses good randomness properties. The cycle test results are in- 
conclusive as only a few tests have been completed. Results thus far 
indicate that the overall transformation of the 3-layered algorithm is 
not closed under functional composition. 

7. CLOSING REMARKS 

We have presented a layered approach to designing strong cryptographic 
algorithms using conceptually simple mathematical transformations. 
Although the layers themselves are weak in isolation, they make a 
necessary contribution to the overall strength of the algorithm. This 
is a simplified approach which can reduce the complexity of designing 
a cryptographic algorithm. 

In addition, a three-layered cryptographic algorithm has been designed 
using the layering technique. Although the algorithm was presented to 
illustrate the design criteria, it in fact appears strong and 
possesses several attractive features. Naturally, it is possible that 



242 



cryptanalysis could show that the algorithm is weak, or under certain 
conditions, may "be compromised completely. In either case, the 
analysis would be interesting due to the simple concepts and 
mathematical properties inherent in the design. The layered approach 
would still be considered useful as it reduces the complexity of 
algorithm design- It also allows a designer to develop layered 
algorithms reasonably fast, since previously studied transformations 
can be chosen as layers. 



ACKNOWLEDGEMENT 

The authors would like to acknowledge the financial support of the 
Natural Sciences and Engineering Research Council of Canada under 
Strategic Grant #C-1364. 



REEEEENCES 

Akl, S.G. and Meijer, H., "Two ITew Secret Key Encryption 
Algorithms", presented at Euroorypt '85, linz, Austria, Apr. 
1985- 

Blakley, G.R. and Borosh, I., "Rives t-Shani r-Adleman Public Key 
Cryptosystems Do Rot Always Conceal Messages", Comp. & Maths 
with Appls., Vol. 5, pp. 168-178, Pergamcn Press Ltd., 1979- 
"Data Encryption Standard", FIPS PU3 46, National Bureau of 
Standards, Washington, D.C., Jan. 1977. 

Davies, D.W., "Some Regular Properties cf the DBS", Advances in 
Cryptology: Proceedings of Crypto '82, re- 89-96, Plenum Press, 
1983. 

Denning, D.E., Cryptography and Data Security , Addison-Wesley , 
Reading, Mass., 1982. 

Feistel, H. , "Cryptography and Computer Privacy", Sci. Am., Yol. 
228, pp. 15-23, May 1973- 

Hellman, M.E., et al. , "Results of an Initial Attempt to 
Cryptanalyze the NBS Data Encryption Standard", Information 
Systems Lab., Dept. of Electrical Eng., Stanford Univ., 1976. 
Kabiski, "E.S., Rivest, R.L. and Sherman, A.T., "Is the Data 
Encryption Standard a Group?", presented at Eurocrypt '85, Linz, 
Austria, Apr. 1985. 

Knuth, D., The Art of Computer Programming; Vol. 2, Semi- 
numerical Algorithms - , Addison-Wesley, Reading, Mass., 1 969- 
Konheim, A.GT, Cryptography: A Primer , John Wiley and Sons, New 
York, 1981. 

Lempel, A. and Ziv, J., "On the Complexity cf Finite Sequences", 
IEEE Trans, on Info. (Theory, Vol. 1T-22, pp. 75-81, Jan. 1976. 
Leung, A.K. and Tavares, S.E., "Sequence Complexity as a Test 
for Cryptographic Systems", Proceedings cf Crypto '84, pp. 468- 
474, Springer-Verlag, 1985- 

Rivest, R.L., Shamin, A. and Adleman, I . , "A Method for Obtain- 
ing Digital Signatures and Fublic-Key C rvrtosystems " , Comm. ACM, 
Vol. 21, pp. 120-126, Feb. 1978. 

Shannon, C.E., "Communication Theory of Secrecy Systems", Bell 
Syst. Tech. J., Vol. 28, pp. 656-715', Oct. 1949- 

Spencer, K.E. and Tavares, S.E., "Layered Broadcast Crypto- 
graphic Systems", Advances in Cryptology: Proceedings of Crypto 
•83, pp. 157-170, Plenum Press, 1984. 



243 



APPENDIX A 

Proof of Complement Transparency for Exponentiation Mod 2 n -1 

It is required to show that a bit-wise complement of any input pro- 
duces a "bit-wise complement of its corresponding output for 
exponentiation mod 2 n -1 . 

Proof : More formally, it is required to show that if 



then 



X K = Y mod(2 n -1 



X K = Y mod(2 n -1 ). 



where X and Y are the hit-wise complements of X and Y respectively and 
K is odd. 

We can write 

X + I = 2 n -1 

or X + 1 = 0 mod(2 n -1 ) 

or X = -I mod(2 n -1 ) 

Squaring, 

X 2 = X 2 mod(2 n -1 ) 

X U = X U mod(2 n -1 ), U even 

X V = -I V cod(2 n -1 ) , V odd 
Let X K = Y mod(2 n -1 ) , K odd 

then X K = -1 K mod(2 n -1 ) 

= -Y ncd(2 n -1 ) 

= Y mod(2 n -1 ). 

APPENDIX E 

Pseudo-code Algorithms for layer Transformations 

In this appendix are pseudo-code algorithms for the two transforma- 
tions of the 3-layered algorithm. A total of three algorithms are 
included as follows: 



and thus 



and 



244 



i) Algorithm #1 : Exponentiation mod 2-1 

ii) Algorithm #2: Multiplication mod 2 n -1 

iii) Algorithm #3: Multiplication mod 2 n 

Algorithm #1 requires the use of Algorithm §2 in the form of a 
subroutine in order to perform the full modular exponentiation trans- 
formation. Algorithms #2 and §3 are shifting and adding based 
routines which include the appropriate variations necessary to perform 
modulo reduction. 

The three algorithms are presented here purposely for a VLSI 
application. Each algorithm can be implemented almost entirely with 
shift-registers, adders, and a carry-bit function. For these 
algorithms, the value of ' n' is not considered variable, but is in 
fact a constant equal to the specified block length of the crypto- 
system. Thus n will govern certain design parameters such as the size 
of internal registers. For notation, all input and output variables 
(denoted as capital letters) are regarded as n-bit integers, and the 
i^* 1 bit position of X is expressed as X(i) in these algorithms. 



ALGORITHM #1 

Exponentiation mod 2 n -1 

Returns: Y = X K mod 2 n -1 

Input: X,K 
i = 0 

if (K(i) = 1 ) then 

Y = X 

else 

Y = 1 

end if 
i = 1 

do while (i < n) 

X = X * X mod 2 r -" 
if (K(i) = 1 ) then 

Y = X x Y mod 2 n -1 
end if 
i = i + 1 

end do 
Output: Y 



245 



ALGORITHM #2 

Multiplication mod 2 n -1 
Returns: P = A * B mod 2 n -1 

Input: A,B 

P = 0 
i = 0 

do while (i < n) 

if (B(i) = 1 ) then 
P = P + csl(i.A) 
if ( carry = 1 ) then 

P = F + 1 
end if 
end if 
i = i + 1 

end do 
Result: P 

csl(i.A) = cyclic shift left of A by i bits 
carry = carry bit function 

ALGORITHM #3 
Multiplication mod 2 n 
Returns: Y = X * K mod 2 n 

Input: X,K 

Y = 0 
i = 0 

do while (i < n) 

if (K(i) = 1 ) then 

Y = X + lsl(i,X) 
end if 
i = i + 1 

end do 
Output: Y 

lsl(i,X) = logical shift left of X by i bits 



LIFETIMES OF KEYS 
IN CRYPTOGRAPHIC KEY MANAGEMENT SYSTEMS 



E. Okamoto and K. Nakamura 
C&C Systems Research Raboratories 
NEC Corporation 
Miyamae-ku, Kawasaki 213 Japan 

1. INTRODUCTION 

Network architectures, such as System Network Architecture 
(SNA) ^\ have an encryption function including key management at 
a functional layer. SNA uses Data Encryption Standard (DES) ^ 
to encrypt data and keys. A data encrypting key is encrypted 
with a master key and transmitted before every session. However, 
"the lifetime of the master key", namely, the time when the 
master key should be changed, is not prescribed. If the same key 
is used for a long time, it is probable that this secret key will 
be exposed. 

This paper describes the lifetimes of keys. The lifetimes 
are the optimal key change periods, because they represent the 
optimal time intervals between key changes. We investigate the 
lifetimes of keys in two types of key distrbution schemes. One 
scheme is the usual scheme where the data encrypting key to be 
used in the next session is encrypted with an upper-level key 
encrypting key and transmitted to the receiving side. In the 
other scheme this encrypted data encrypting key is encrypted 
again with the data encrypting key being used at the present 
session and transmitted to the receiving side. In both schemes, 
the key encrypting key may be encrypted with more upper-level key 
encrypting keys. In this paper, the former scheme and the latter 
scheme are called SCHEME 1 and SCHEME 2, respectively. The keys 
lifetime in SCHEME 2 is shown to be much longer than that in 
SCHEME 1. 

In the discussion, we assume that the cryptattack is based 
on the simplest method, namely the exhaustive key search. It may 
be possible to cryptanalyze in a shorter time, using statistical 
characteristics of encrypted data sequences, though there has 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 246-259, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



247 



been no such DES cryptanalysis reported so far. Hence, the 
lifetimes of keys described in this paper show one of the upper 
bounds. 

Moreover, this paper deals with DES as an example. However, 
it utilizes only the fact that the effective key length is 56 
bits, hence the discussion can be applied to other encryption 
algorithms. 

2. KEY DISTRIBUTION SCHEMES AND THEIR CRYPTANALYSIS METHODS 

Figure 1 shows two types of key distribution schemes, SCHEME 
1 and SCHEME 2. In Fig. 1, E and D show the encryption 
transformation and the decryption transformation, respectively. 
M shows a message and R a register. The lowest level key, K lf is 
a data encrypting key which is called a work key. The second 
level key, K 2 , is used to encrypt for distribution, and so on. 
The highest level key, K L , is not encrypted. It is sent via a 
secure channel or by a courier. Key K L is called a master key. 
Every key is generated randomly at the sending side. 

In SCHEME 2, when K i is changed to , selectors 
SEL i-l' SEL i-2' EEL 0 select upper lines and switches SW^-j^ 

SW i _ 2 ,...,SW 0 connect each decryptor output to upper lines in the 
figure. Hence E K {K\) is multi-encrypted with K^-^, Kj._2' • 
• ,K^ . 

We assume that the cryptanalysis method is based on an 
exhaustive key search described below. 

Cryptanalysis method for SCHEME 1 

1) Obtain C^Ej, (M) , C^E^K^, , C l =E Rl (K l-1 ) , where 

E K . (M) shows an encrypted message M with key and C ^ a 
cipher text. 

2) Select a master key candidate KC L . 

3) Calculate lower level key encrypting key candidates 

KC L-1 =D KCJ C L>' KC L-2= D KCl-,( C L-1 ) ' ' KC 1 =D KC;J C 2> 

and message candidate MC=D K( -. ) (C-^) . 

4) If MC is the right message M, then let K L =KC L and decode 
cipher texts, otherwise select another master key candidate 



248 

and go to 3) 
Cryptanalysis method for SCHEME 2 

1) Search for key from E Ri (M) and (partial) M. If K ^ 

is found, decode cipher texts until is changed. 

2) Search for key K 2 from E^^) and Kj_. If K 2 is found, 

decode cipher texts until K 2 is changed. 



L) Search for key K L from E K ^(K L _ 1 ) and K L _i- If K L is 
found, decode cipher texts until K L is changed. 
There may be many Ks satisfying E R (M)=C when message text M 
and cipher C are given. Hence, it is necessary to check 
E K (M')=C* with other M* and C. If E K (M')^C, continue to 
search for K. In this paper, searching for K from E R (M) and M 
means to find the real K. 

If a cryptanalyst stores all cipher texts into a memory, 
they can all be decoded after finding the keys. However, the 
texts are usually quite old when the keys are cryptanalyzed, 
because cryptanalysis requres much time. Hence, we assume that 
the cryptanalyst tries to obtain online real-time messages. 
Disclosure rate £ L is defined as 

mean interval in which messages are disclosed 
£ L = (l) 

interval in which K L is used 

In general, rate £ L increases according to increase in the K L 
length. 



3. LIFETIMES OF KEYS 

This section represents the lifetimes of keys as function 
of the number of key levels and the disclosure rate. First, the 
disclosure rates are derived. 



249 



,1 Disclosure rate 

(1) Disclosure rate for SCHEME 1 
Let t L be the time when K L is disclosed, and T L be the time 
hen K L is changed. Time t L is a random variable. Probablity 
ensity function p(t) of disclosure of K L can be expressed as, 



P(t) = 



1 

LA 



; (O^t^LA) 

; otherwise , 



(2) 



here A is the total time in which all keys need to be 
nvestigated. In DES case, for example, 



A=2 56 T , 



(3) 



'here ~t is the time for encrypting one block. 

Messages are exposed in the period from time t L to T L , hence 
jisclosure rate £ L is given by 




p(t) (T L -t L )dt L 



2L 



(4) 



tfhere c^ is the normalized lifetime of a master key K L , i.e., 

c L =T L /A. (5) 

(2) Disclosure rate for SCHEME 2 

Let t^ be the time when the i-th level key, K ^ , is exposed 
and let be the time when K.^ is changed. Times t^ and Tj_ 
distributions are shown in Fig. 2. All t^ are considered 
as random variables. 



250 



The probability density function of disclosure of a key is 



p(t) = 



— ; 0 <. t < A 
A 



0 ; otherwise 



(6) 



Disclosure rate f L is given as 



e L = — {E[I(T 1 -t 1 ) 

+ E[I(T 2 -t 2 )]-E[I(T 1 -t 2 )] 



+ E[I(T3-t 3 )]-E[I(T 2 -t3) ] 



+ E[I(T L -t L ) l-E[I(T L _ 1 -t L )] } 



(7) 



where E shows expectation and I is the function defined as 
below. 



I(t) = 



t ; t > 0 
0 ; t < 0 



(8) 



The minus terms in Eq. (7) come from the cases where the 
intervals (t^, T^'s are crossed each other. 
E[l(T-t^) ] is calculated as. 



EtKT-ti) ] = 



/T 



p(t 2 -t 1 )dt 2 



P(t i -t i _ 1 )(T-t i )dt i 



-i-1 



251 



/min(T,A) f min (T, t-^+A) 



dt- 



A 1 / 



minfTftj.j+A) 
: i-l 



(9) 



is A is usually large, we assume that 



Tj_ 1 A ( 


i= 1,2 


/ . • • / L) • 


Jnder this condition, E[l(T-t^)] is 


1 


rl 


rT / 


ElKT-ti) ]= — 


o dtl j 


dt2 . • . 


A 1 i 




*1 ' i 



(10) 



1 




f*l 


f x i-l 






dx^ 


dx 2 ... 


x i dx i , (x^T-tj) 


(11) 


A 1 I 


0 


/ 0 


0 , 





(i+l)l A 1 
and ? L is given as, 



i+l I +• I 

i — c i-l 



(i+l) ! 



: L i = l 



(12) 



where 



c L = T 4 /A ( i=l , 2 , . . . L) (13) 

c Q = 0 (14) 

Equations (4) and (12) relate disclosure rate t L to the 
number of key levels L and the normalized keys lifetimes c^. In 
SCHEME 2, it is desired that c L be maximum, because K L must be 
changed manually. It can be derived that c L is maximized at 



Cl =c 2 = .... c^-^O 



(15) 



252 



and the maximum c L is given by 

c L =((L+l)!-* L ) 1 / L , (16) 

where £ L is considered as a parameter (See Appendix) . 

The . . . rCL_i influence on c L will be investigated when 
L=2 in detail. 

Figure 3 shows the relation between t L and c L , and Figure 4 
shows the effectiveness of increase of L on the lifetime of key. 
We can see that SCHEME 2 is much stronger than SCHEME 1 for 
cryptanalysis. 



3.2 Lifetimes of keys for the two level key cryptosystems 

Lifetimes and c 2 in the two level key cryptosystems are 
investigated. These types of cryptosystems are fairly often used. 
From Eq.(12), the disclosure rate £ 2 for SCHEME 2 is represented 
as 




(17) 



2c 2 6c 2 



Figure 5 shows the relations between c^ and c 2 for some 
values of a parameter £ 2 . 

Normalized lifetimes of keys c 2 and c-^ for SCHEME 2 are 
optimized by the rules below. 

1) c 2 is maximized. 

2) c^ is maximized under the condition that c 2 nearly equals 
its maximum, i .e . , 

c 2 = y6-£ 2 (18) 

Equation (18) comes from Eq.(16). In Figure 5, the maximum 
points of c^ are given as the cross points on the graph where 
c 2 =y6£ 2 . The line connecting these points is given by the 
equation, 



253 

log c 1 - log 10 -1 = 3/2 (log c 2 - log/exlO" 1 ) , (19) 
namely, 

c 2 = 0.56-?2 0 - 75 . (20) 

Equation (19) is given from Fig. 5 by rule of thumb. 

The lifetimes of master keys T 2 are shown in Table 1, when 
DES is employed. 

For example, when t=10~ 6 second, the master key for SCHEME 1 
must be changed every year, though the master key for SCHEME 2 
has only to be changed every 56 years to estalish 'c^lO - ^ 
(1 hour/year). When t=10~ 7 second, SCHEME 1 must change the 
master key every month , whereas SCHEME 2 has only to change the 
master key every 5 years. Therefore SCHEME 2 is superor to SCHEME 
1 on the keys lifetime. 

4. CONCLUDING REMARKS 

The keys lifetimes necessary to attain a certain low 
disclosure rate have been investigated for two types of schemes. 
DES is employed as an encryption algorithm example. This paper 
employs the poorest attack, namely the exhaustive attack as a 
cryptanalysis. There may be a more effective attack. As results, 
we recommend to adopt SCHEME 2 and to change the master key 
'at least' within a few years. 

ACKNOWLEDGEMENT 

The authors wish to thank Mr. Kato, Mr. Ishiguro and Mr. 
Goto of NEC Corporation for helpful suggetions. 

REFERENCES 



[1] Lennon, R.E., "Cryptography Architecture for Information 



254 



Security", IBM System J., vol.17, no.2, pp.138-150, 1978 
[2] Federal Information Processing Standards Publication No. 46, 

National Burean of Standards, 1977. 
[3] Okamoto,E. and Nak amu r a , K . , "Key change Periods in 
Cryptographic Key Management Systems", The proceedings of 
the 7-th Symposium on Information Theory and Its 
Applications (in Japanese), pp. 169-173, 1984. 



APPENDIX 



The aim here is to show that the maximum of c L is given by 
Eq.(16) at Ci = c 2 = .... =c i,-i = 0 - From Eq. (12), 

C L+1 L 4-1 Ci-i 

*L C L=-I ■ — ) (AD 

(L+1)I i=2 i! i+1 

The right-hand side of Eq.(Al) is nonnegative from Eq.(lO) and 

Eq.(13), while the left-hand side of Eq.(Al) is nonnegative if 
and only if 

0* c L £ ((I+1)I-£ L ) 1/L (A2) 

Hence the maximum of c L is ( (L+l) ! • Z. L ) 1 ^ L . When c L is the 
maximum, 

c L =( (L+l) !- £ L ) 1/L , (A3) 

c lr c 2 , .... ,c L _2 are all zero, because the right-hand side of 
Eq.(Al) is zero and c^^ does not equal i + 1 from Eq.(10) and 
(13) . 



255 



SECURE 
CHANNEL 



(a) SCHEME 1 



R 



\ 




SECURE 


\ 








CHANNEL 


R 




\ 


1 




i 





K L -1 



Jl 



SELi 




E 





SEL 0 




E 


3*- 



D 




SWj. 


3» 



R *r 



D 


=» 


SW 0 





(b) SCHEME 2 
Figure 1. Key distribution schemes 



256 



MESSAGE 

DISCLOSURE 

INTERVAL 



H # E H 



fc l XI t 2 T 2 tL-1 T L -l tL T L 



tj^: time when is found 
T^: time when K j_ is changed 



Figure 2. Times t. and T. distribution 
11 



257 




Figure 4. Relation between C T and L 



258 



C 2 c 3 -c 3 
£., - 1 ■ 1 1 



2 2c 2 6c 2 



^ . 2 

10 £ 



SCHEME 



' -4 

1 0 SCHEME 



-x — >. - 5 



V 6 



~^10" 7 



io" 3 



ID" 4 



-8 



10 

1 1 1 1 1 1 1 

10~ 7 10" 6 10" 5 10" 4 1Q" 3 10" 2 10" 1 10° 

C l 

Figure 5. Relation between C-j and C,, with parameter £ 2 



259 



Table 1. Lifetimes of master keys for 
2 -level key cry ptosy stems 



a) Lifetime of master key T 2 for SCHEME 1 



^^--^^ Encrypting 

^^-^^^ Time x 
Disclosure ^-^^ 
Rate E 


10 6 (s) 


10 7 (s) 


10" 8 {s) 


10" 1 


914 (v) 


91.4 (y) 


9.14 (y) 


lO" 2 


91.4 


9.14 


334 (d) 


lO" 3 


9 .14 


334 (d) 


33.4 


lO' 4 


334 (d) 


33.4 


3.34 


10" 5 


33.4 


3.34 


8.01 (h) 


10" 6 


3.34 


8.01 (h) 


48.0 (m) 


10" 7 


8.01(h) 


48.0 (m) 


4.80 (m) 



b) Lifetime of master key T 2 for SCHEME 2 



^^^Encrypting Time t 

Crypta na ly s is^-^_^ 

Ratio £ ^^^^ 


10- 6 (s) 


10 _7 (s) 


10~ 8 (s) 


io-i 


1770 (y) 


178 (y) 


17.8 (y) 


lO" 2 


560 


56 


5.6 


10-3 


17 8 


17.8 


1.78 


lO"" 


56 


5.6 


204 (d) 


10" 5 


17.8 


1.78 


64 


10" S 


5.6 


204 (d) 


20.4 


lO" 7 


1.78 


64 


6.4 


10" 8 


204 (d) 


20 


2 



Correlation Immunity and the Summation Generator 



Rainer A. Rueppel 
CMRR 

University of California, San Diego 
La Jolla, CA, 92093 



Abstract: 

It is known that for a memoryless mapping from GF(2) N into GF(2) the 
nonlinear order of the mapping and its correlation-immunity form a 
linear tradeoff . In this paper it is shown that the same tradeoff 
does no longer hold when the function is allowed to have memory . 
Moreover, it is shown that integer addition, when viewed over GF(2), 
defines an inherently nonlinear function with memory whose 
correlation-immunity is maximum. The summation generator which sums 
N binary sequences over the integers is shown as an application of 
integer addition in random sequence generation. 

1. Introduction 

Boolean functions from GF(2) n into GF(2) are commonly found in 
cryptographic applications. Usually they are designed to be nonlinear 
and to produce a balanced output, and, often one finds the additional 
requirement that from knowledge of the output bit it should not be 
possible to reliably guess one or more input bits . Consider for 
example DES, where the S-boxes define nonlinear mappings from GF(2) 4 , 
(or GF(2) S respectively), into GF(2) chosen in such a way that little 
statistical dependency is created between the output bit and one or 
more input bits . Or consider a classical running-key generator for 
use in a stream cipher system. Such a runnir.g-key generator consists 
of N driving linear feedback shift registers (LFSRs) and some 
nonlinear function operating on the N output sequences in order to 
produce the running-key. siegenthaler [1] has recently shown that 
several of the previously published running-key generators employed 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 260-272, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



261 



nonlinear functions which created statistical dependencies between 
single input and output variables and therefore allowed ' divide-and- 
conquer 1 attacks using correlation techniques . These results 
stimulated some interest in functions which can resist the 
correlation attack . The concept of m-th order correlation-immunity 
for combining functions [2] was introduced as a measure of their 
resistance against such correlation attacks . (Hut correlation- 
immunity is not confined to running-key generators . In fact, if a 
boolean function is found to be m-th order correlation- immune, it 
means that there is no statistical dependency between the output 
variable and any subset of m input variables, provided the input 
variables are independent and uniformly distributed) . Unfortunately, 
for such memoryless combining functions f there exists a tradeoff 
between the attainable nonlinear order and the attainable level of 
correlation-immunity [2j . If k and m denote the nonlinear order and 
the order of correlation- immunity of f, respectively, then 

k + m « N-l for 1 ^ m « N-2 . (1) 

Thus, the more correlation-immunity, the smaller the nonlinear order 
of f and consequently the smaller the linear complexity of the 
running-key, and vice versa . Moreover, functions which satisfy (1) 
with equality are difficult to find. 

In section 2 we shall show that this inconvenient tradeoff can be 
avoided by proper use of memory in the nonlinear combining function. 
In fact, one bit of memory suffices to obtain nonlinear combiners 
that are maximally correlation-immune and have maximum nonlinear 
order at the same time . In section 3 we shall demonstrate that 
integer (or real) addition, which is an extremely nonlinear operation 
when considered over GF(2), inherently defines a maximally 
correlation-immune combiner . Moreover, we will apply integer 
addition in random-sequence generation and give evidence that the 
resulting key stream is highly complex. 

Throughout most of this paper, GF(2) is taken as the underlying field 
of computation; therefore, unless otherwise stated, formulas are 
assumed to be computed over GF(2). 



262 



2. Correlation-Immunity of Nonlinear Combiners 

In order to investigate the statistical dependencies introduced by 
the nonlinear combiner itself (and not by the sources which feed it) 
we shall assume that the input sequences to the nonlinear combiner 
are sequences of independent and uniformly distributed binary random 
variables . 









BSS 1 
















Nonlinear 








Combiner 








(memoryless 








or not) 






X Nj 






BSS N 













Fig. 1. Information-theoretic model used to define correlation- 
immunity. (BSS = Binary Symmetric Source) 

Several authors ([2], [3]) investigated the correlation-immunity of 
nonlinear combiners, but always under the assumption that the 
combiner is memoryless . A memoryless nonlinear function is termed 
correlation-immune of order m [2] if the mutual information between 
the output variable and any subset of m input variables considered 
jointly is zero. For a memoryless combiner time is immaterial, since 
at any time the output only depends on the current input variables . 
Now allow the nonlinear combiner to contain memory which, in fact, 
converts it into a finite-state machine (FSM) . Let S 0 denote the 
initial content of the combiner's memory and define 
Xj_3=Xj_ 1 , X^ 2 / ■ • / j , for l^isCN. For any FSM we may write 



Zj = FfX^, . . . ,X N 3,s 0 ) 



(2) 



263 



As a natural extension of the above definition of correlation- 
immunity for memoryless combiners we shall say that a nonlinear 
combiner with memory is correlation-immune of order m if the mutual 
information between the output sequence and any subset of m input 
sequences is zero, that is, if 



HZ j ;Xi^ Xj J) = 0 j>0 (3) 

l^i!<i 2 < . . . <i n <N 

In this case the output sequence is statistically independent of any 
m input sequences considered jointly . In many cryptographic 
applications it is required that the output sequence should resemble 
as closely as possible a truly random sequence . For example, in a 
running-key generator, it must not be possible to reliably guess the 
next key bit regardless of how many prior key bits have been 
observed . In the information-theoretic model this corresponds to 
requiring that {Zj} forms a sequence of independent and uniformly 
distributed random variables . Under this constraint the definition 
(3) is equivalent to 



KZi ;X 



j, Ail ,x i2 , 

Ki 1 <i 2 <. . . <i m <Jf 



,Xi J . 

' -*- m 



(4) 



Definition (4) is intuitively pleasing: knowing all prior output bits 
and knowing (or guessing) jointly any m input sequences does not 
provide any information whatsoever on the next output bit. To prove 
the equivalence of (3) and (4) , let m=l and decompose (3) in the 
following way, 

I(Z^rxJ) = I(zj _1 ;x3) + I (Zj ;X3 | Z^ -1 ) = 0. 

Mutual informations are always greater or equal to zero; hence it 
must hold 

I(Zj ;X3 j Z^" 1 ) = H(ZjjZ^ _1 ) - H(Zj|X^,Z^ -1 ) = 0. 



264 



Taking into account that {Zj} forms an i.i.d. sequence, we arrive at 

which establishes the equivalence . For an in-depth treatment of the 

different definitions of correlation- immunity we refer to [5] . Now 
let the function F of (2) have the form 



Zj = ) Xjj + F'(X 1 3- 1 ,...,X N ^ -1 ,S 0 ) (5) 
i=l 



where the current input variables X 1 j,...,X N j are summed and added to 
an arbitrary function F ' of all previous input variables and of the 
initial state s 0 . Suppose we know the complete history of the 
nonlinear combiner F and all but one, say X-^j , of the current input 
variables. We then may rewrite (5) as 



Zj = Xij + Yj (6) 



where Yj summarizes our knowledge about the device. The fact that X^j 
is drawn independently of Yj from a uniform distribution implies that 
Zj and Yj are statistically independent and that Zj is also uniformly 
distributed. This can also be seen from the fact that (6) corresponds 
to sending Yj through a memoryless binary symmetric channel with 
capacity 0, thereby ensuring that Zj is uniformly distributed and 
statistically independent of Yj . Hence, any nonlinear combiner of 
the form (5^ is fN-1) st-order correlation- immune , which is in fact 
the maximum order of immunity possible. Moreover, the function F 1 in 
(5) is not restricted in any way and may consequently be chosen to be 
of maximum nonlinear order. In particular, one memory cell suffices 
in order to realize a combiner with maximum correlation-immunity and 
with maximum nonlinear order . For this case the FSM equations may be 
written as 



265 



i=l 



ij + s j-l 



(7a) 



S j ~ f ( X lj-1' • • ' X Nj-l' S j-l) 



(7b) 



Equations (7) describe an FSM with finite memory of 1 bit. If the 
next state is computed irrespectively of the previous state, then the 
FSM (7) is said to have a finite input memory of 1 bit (it can be 
realized with a pure feedforward structure) . 

At this point it is illustrative to consider a practical example. 
Pless [4] proposed in 1977 a running-key generator which contains as 
basic building block a 2-LFSR-subgenerator . In this subgenerator a J- 
K Flip-Flop acts as the nonlinear element which combines the 2 LFSR 
sequences . A J-K Flip-Flop defines a one-bit FSM whose state just 
contains the previous output bit and whose output and next-state 
functions therefore coincide. Its behavior is completely described by 



Zj = x xj + Zj-xd + x-Lj + x 2j ; 



(8) 



Considering Xj j , X 2 j , and z j-i as the 3 input variables to a 
memoryless mapping f defined by (8) we may compute the Walsh 
transform S f (w) [3] of f. Fig. 2 displays the result 



S f (w) 



4 " 
i 

0 

-i + 

0 



_4 



1 2 3 4 5 b I 



-*■ ^v 



Fig. 2. Walsh transform of the boolean mapping defined by (8) 



266 



The graph of Fig. 2 may be interpreted as follows: let (w 0 ,w 1 ,w 2 ) 
denote the binary representation of w, where 0 $ w $ 7 . If the Walsh 
transform Sf(w) is nonzero at some w > 0 then the mutual information 
I(Zj ;w 0 X 1 j+w- L X2j+w 2 Zj_ 1 ) is greater than zero. Moreover, the value of 
the Walsh transform at this w gives an exact account of how much 
statistical dependency is introduced. For instance, the peaks in the 
Walsh transform at w = 1 and w = 2 in Fig. 2 tell us that the output 
bit Zj is neither independent of X X j nor of X 2 j ■ The value -1/4 at 
Sf(l) tells us that the probability that Zj coincides with X^j is 
3/4 . Equivalently, the value +1/4 at S f (2) tells us that the 
probability that Zj coincides with X 2 j is 1/4 . On the other hand, 
since S f (4) is zero Zj is independent of Zj_ lP Consequently, if a J-K 
Flip-Flop is fed by two binary symmetric sources it will produce a 
sequence of independent and uniformly distributed binary random 
variables (as desired) , but this output sequence will exhibit a 
strong correlation with either input sequence. Thus, the correlation- 
immunity of a J-K Flip-Flop is zero. 

Comparing (2) and (4) we notice that maximum correlation-immunity of 
F was obtained by separating the N current input variables from an 
arbitrary function F 1 of only prior input variables. In general, any 
desired level m of correlation-immunity can be obtained by separating 
m+1 input variables each taken from a different input sequence and 
possibly with a different time index, but disallowing their use in 
the arbitrary function F". 



3 ■ The Summation Principle 

Let a and b be two integers, whose binary representation is given as 
a=a n _ 1 2 n_1 +. . .+a 1 2+a 0 and b=b n _ 1 2 n-1 +. . .+b 1 2+bg , respectively. Let z 
= a + b be the real sum of the two integers and assume that the sum 
is computed bit-serially in GF(2) from the binary representations of 
a and b. Then we may write, with increasing nonlinear order of the 
binary functions producing the j-th bit 



267 



z 0 = a 0 + b 0 

2 1 = a l + b l + a O b O 

z 2 = a 2 + b 2 + ajbi + a 1 a Q b 0 + b^bo 



or, we may express Zj recursively for 0«j<n 
Zj = fi(aj ,bj ,Cj_ 1 ) = aj + bj + Cj_ x 
Cj = f 2 (aj ,bj ,cj_ x ) = ajbj + (aj + bj)Cj_! 



(10a) 
(10b) 



where Cj_]_ represents the carry-bit from the less significant bits to 
bit j of the sum. Fig. 3 illustrates the principle. 



a n-l 




a l 


a o 




b n-l 




b l 


b 0 




z n' z n-l' • • ' z l' z 0 



Fig. 3. Time-sharing of a 3 -bit adder to produce bit- 
serially the real sum of two n-bit integers. 

When the two input shift registers in Fig . 3 are initially loaded 
with the binary representation (least-significant bit first) of the 
two integers and when the feedback memory ceil is initially zero, 
then after (n+1) clock cycles the (n+1) bits corresponding to the 
binary representation of the real sum will have appeared serially at 
the output. In fact, the real adder of Fig. 3 defines a finite-state 
machine with output and next-state functions according to (10), and, 
surprisingly enough, it directly realizes a correlation-immune 
combining function as defined in (7) . Note that f x defines the 
GF(2)-sum of the input variables and thus accounts for the 
correlation immunity, while f 2 defines the GF{2)-sum of all second- 
order products of the input variables and thus implements a 



268 



memoryless nonlinear mapping . The memory-cell is used to hold the 
carry-bit from the (j-l)-st to the j-th position of the sum and 
carries all the nonlinear influence of the less significant bits . 
These observations suggest that real addition could be useful in 
running-key generation . The simplest running-key generator based on 
this summation principle may be obtained by adding two (or in general 
N) infinite integers whose binary representations are periodic 
sequences generated by suitable LFSRs . We shall call any such 
generator a summation-generator . It is apparent from the linear form 
of the output function (10a) that whenever at least one input 
sequence consists of independent and uniformly distributed random 
variables so will also the output sequence . Besides statistical 
properties of a generator one is often interested in the period of a 
generator and its linear complexity (that is, the length of the 
shortest LFSR that is able to emulate the generator for a given 
output sequence) . 

Property 1 : 

Let {aj} and {bj} be two binary sequences with least periods T]_ 
and T 2 respectively. When (Zj) denotes the real sum of {aj} and 
{bj } , expressed in radix-2 form, and if gcd(Tj_,T2) =1, then {Zj} 
has least period T]_T 2 . 

Proof : 

Define the rational fraction s associated to a sequence {Sj} of 
period T as T 

YZ s T - j2 ' J 

3 = 1 _ P 

2 T -1 = q 

where gcd(p,q)=l . The period T may be found from q as the 
multiplicative order of 2 modulo q . Therefore we may write 
a=p 1 /q 1 and b=p 2 /q2 ■ The real sum of the sequences directly 
corresponds to the real sum of the rational fractions. Thus 



269 



where we identify n/q^j as the rational fraction representing 
the real sum sequence ( z j } and c, which is either 0 or 1, as the 
carry digit from one period of the sum sequence to the next. We 
note that gcd(n,q 1 q 2 )=l because gcd(q lf q 2 ) = gcd(p 1 ,q 1 ) = 
gcd (p 2 , q 2 ) =1 1 and that gcd(2,q 1 q 2 )=l since q-j_ divides 2 Tl -1 and 
q 2 divides 2 T2 -1. Then the period T of the real sum sequence 
{Zj} is given by the multiplicative order of 2 modulo qj.q2- 
Since qj_ and q 2 are relatively prime it follows from the Chinese 
remainder theorem that T is equal to the product of the 
multiplicative orders of 2 modulo q-j_ and 2 modulo q 2 • Hence 

Property 1 may easily be generalized to the sum of N periodic 
sequences in radix-r representation. 

Now assume that the real adder is fed by two maximum-length sequences 
whose minimal polynomials have relatively prime degree 1^ and L 2 • 
This implies that their periods are relatively prime and thus, by 
property 1, the period T of the real sum sequence is (2 L i-l) (2 L 2-l) 
which value also provides an upper bound to the linear complexity of 
{Zj). When the above two ra-sequences are multiplied termwise then the 
resulting product sequence will have a minimal polynomial of degree 
L]_L 2 (i.e. linear complexity L^L 2 ) all of whose roots are from 
GF(2 L i L 2) - GF(2 L l) - GF(2 L 2) . The interesting question now is how 
the feedback memory of the real adder affects the linear complexity 
of the real sum sequence . From (9) we see that the order of the 
products involved in the direct description of the function producing 
Zj grows linearly with time . A finite-state machine is said to have 
finite input memory M if M is the least integer such that the output 
digit at time j may be expressed as a function of the input variables 
at times j-M, . . . , j . Clearly the FSM as described by (10) has in 
general infinite input memory . But whenever the input sequences to 
the real adder produce a pair of zeros or ones, then the state of the 
adder FSM is set to a value independent of the preceding states and 
input values . In particular, when periodic input sequences are used 
which produce at least a common pair of zeros or ones within the 
period of the output sequence (which is certainly true for the above 
pair of m-sequences) , then the input memory M will be finite with 
respect to the particular driving sequences. This allows to convert 
the feedback structure of the nonlinear combiner (10) into a 
feedforward structure of input memory M (corresponding to a maximum 



270 



nonlinear order of M+l in the functional description (9)). From the 
feedforward function it is then possible to calculate (or at least 
bound) the associated linear complexity of the output sequence . In 
fact, one may prove that real addition of binary sequences is so 
nonlinear that from the available Lj_ elements in GF(2 L J- ) and L 2 
elements in GF(2 L2 ), (which are the roots of the two primitive 
minimal polynomials), it may generate every element in GF(2 LlL2 ) - 
GF(2 Ll ) -GF(2 L 2) . 

Property 2 : 

Let {a-j} and {bj } be two binary m-sequences whose primitive 
minimal polynomials have relatively prime degrees L]_ and L 2 . 
When {a-j} and {bj } are added over the reals then the real sum 
sequence {Zj} exhibits linear complexity LC close to its period 
length. 



LC({Zj}) « (2 L i-l) (2 1 



•1) 



:n) 



with near equality. 

Instead of giving the proof which is straightforward but rather 
tedious, we will display some simulation results [6] which confirm 
that the bound (11) is extremely tight . In fact, no serious 
degeneracy was ever found, which suggests that integer addition is an 
inherently good nonlinear function. 



N 



LC 



105 
217 
465 
651 



StlOO 
2208 
5455 
»641 



Table 1 . Small-scale simulations giving evidence that the bound 
(11) is very tight (for explanation of the table see 
text below) . 



In table 1, the column labeled N gives the number of m-sequences 



271 



added over the reals; the columns labeled h-^ , L 2 , and L 3 give the 
degrees of the minimal polynomials of the m-sequences which were 
added; the column labeled T gives the period of the sum sequences; 
the column labeled LC displays the smallest linear complexity 
obtained for all possible combinations of different primitive minimal 
polynomials of the mentioned degrees . For instance, the first row 
tells us that each of the different m-sequences of degree 3 (there 
are 2) was separately added to each of the different m-sequences of 
degree 4 (there are 2) , and never was a linear complexity of smaller 
than 100 obtained. 

Although it seems counterintuitive, integer (real) addition is 
extremely nonlinear when viewed over GF(2) . The results in this 
section show that given two integers whose binary representations 
have very low (linear) complexity then their real sum may have very 
high (linear) complexity. This of course depends whether use was made 
of the nonlinear potential of real addition. Suppose, for example, 
we add the two integers whose binary representations are the 
sequences 0101. . and 1010. . each having linear complexity 2. The 
result is the all-1 sequence of linear complexity 1 . Note that in 
this case the real sum and the mod-2 sum of the 2 sequences are 
identical and, in fact, never a nonlinear contribution through a 
carry occurred. 

Finally, we want to mention that a similar analysis applies to the 
0/1 -knap sack with N weights [7] . The i-th output bit of such a 
knapsack may be regarded as being produced by a boolean function from 
GF(2) N into GF(2) whose coefficients are determined by ths weights of 
the knapsack. One can prove that the nonlinear order of the function 
producing the i-th output bit is bounded form above by min{2 1 ,N}. 
Therefore, roughly the logN least significant bits of a knapsack are 
considerably less nonlinear (are considerably weaker) then the 
remaining output bits. 



References : 



[1] T. Siegenthaler , " Decrypting a Class of Stream Ciphers Using 
Ciphertext Only", IEEE Trans, on Computers, Vol. C-33, 1984. 



272 



[2] T . Siegenthaler, "Correlation- Immunity of Nonlinear Combining 

Functions for Cryptographic Applications", IEEE Trans, on Info. 

Th., Vol. IT-31,1985. 
[3] Xiao Guo-zhen, J . L . Massey, "A Spectral Characterization of 

Correlation-Immune Combining Functions", submitted to IEEE Trans. 

on Info. Th. 

[4] V.S. Pless, "Encryption Schemes for Computer Confidentiality", 

IEEE Trans, on Computers, Vol. C-2 6, Nov. 1977. 
[5] T . Siegenthaler, "Design of Combiners to Prevent Divide and 

Conquer Attacks", Proceedings of crypto 85, Santa Barbara, August 

18-22, 1985. 

[S] U. Maurer, R. Viscardi, "Running-Key Generators with Memory in 

the Nonlinear Combining Function", Diploma Project, Swiss Federal 

Institute of Technology Zurich, Dec. 1984. 
[7] R .A . Rueppel, J . L . Massey, "The Knapsack as a Nonlinear 

Function", IEEE Symposium on Info. Th., Brighton, UK, June 24-28, 

1985. 



DESIGN OF COMBINERS TO PREVENT DIVIDE AND CONQUER ATTACKS 



T. Siegenthaler 
Institute for Communication Technology 
Federal Institute of Technology 
8092 Zurich, Switzerland 



Abstract 



A finite state machine driven by n independent sources each generating 
a q-ary sequence is investigated. The q-ary output sequence of that 
device is considered as the running-key sequence in a stream cipher. 
Possible definitions for Correlation-Immunity are discussed and a 
simple condition is given which ensures that divide-and-conquer attacks 
on such generators are prevented. 



I Introduction 



A common form of running key generators for use in stream ciphers 

consists of n driving sources and some combiner. We assume in this 

section that each of the sources independently generates a sequence of 

q-ary random variables and that a finite state machine (FSM) combines 

the n input sequences x. . ,x, x . to an output sequence z., 

^ r 3 ~ 1 1 n,j J 

j-0,1,... . A FSM is a system with finite sets of input and output 

symbols, a finite set of states, a next-state function T and an output 

function i: 

T: ( x . , s . ) * s . , , 
*"• <2Sj'!j! * z j 

where x. - (x. -,x, .....,x .] and where s. - [s. -,s-, s, .] and 

-3 l/3 2 '3 n 'J -3 1-3 2,] k,^ 

s. , - [s. . ,,s_ . s, . ,1 are the state vectors with the k 

-3 + 1 1,]+1 2,]+l ' k,]+l 

q-ary components s^.s^ s k(j and s^^, s 2;j + 1 , s kfj + i 

at time instants j and j+1, respectively. Sq denotes the initial state. 
Fig. 1 shows a canonical representation for a FSM [1], driven by n 
q-ary sources. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 273-279, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



274 



qS 


1 




qS 


2 




qS 


n 



X . 



combinational 



circuit 



id 



•i.J+i 



j delays j 

Fig. 1. A running key generator for use in stream ciphers. 

A cryptanalyst possibly tries to break the above system by breaking 

the individual subkeys of the n sources. To prevent such divide and 
conquer attacks, the symbols generated by the FSM should be 

statistically independent on the symbols of one (or several) input 

sequences. In this note we give some results for FSM combiners. 

II Correlation-Immunity of FSM combiners 



A FSM combiner is called m-th order correlation-immune [2] if the 
mutual information between the running-key sequence z- 1 and every subset 



of m input sequences 



il' i2' 



lm 



1 < il < i2 < 



< im < n, is 



I(z J 



.3 

"i2 ' 



im 



for all j > 0, 



(1) 



where the superscript j means that all symbols up to time instant j are 



considered, e.g. z J = z g , z -,, z z ^ . Note that z J contains j + 1 



. ,x; are assumed to be independent of 
im r 



symbols. The sequences x ^' x ^2 v ^ 
each other. Definitions (1) and (2) which is slightly stronger have 
been used by Rueppel [3,4]. 



and 



I( Zj 
Kz • 



ll ' 12 ' 
1 1 i 2 



: ] ) 
= 0 



= 0 , for all j > 0, 
for j - 0 . 



(2a) 
(2b) 



275 



In this section it will be shown that (2) is too restrictive to be used 
as a definition in general but is useful for a special (but 
cryptographically significant) case. Moreover, an expression equivalent 
to that given in (1) is derived. For ease in notation we assume m-1, 
however, the result is easily extended to any m, 1 < m < n. From (2a) 
we obtain 

Hz^izi' 1 ~ Kz.fz^" 1 ] + KZj.-xjlz^" 1 ) - 0 , j > 0. (3) 

Because mutual information is always positive, we must have 

Hz^-z^ -1 ) - H( Zj ) - HU^z^ -1 ) - 0 , j > 0, (4) 

and 

I(z. ;xj [z^' 1 ) - 0, j > 0. (5) 

For stationary input sequences (4) means that an independence definiti- 
on according to (2) implies an independent and identically distributed 
(i.i.d.) sequence Zg,z^,... which, of course, isn't necessary for 
correlation-immunity. Fig. 2 gives an example for the restriction made 
with a definition according to (2). All variables are binary and we 
assume in this example that the input sequences are balanced and i.i.d. 
Example 1 : 




z . 



Fig. 2. A correlation-immune FSM with l(z 3 ;x?)-0 but I(z.;z J ,x|)>0 
for i = l , 2 . '•' denotes inversion. 

We certainly have I(x?;y 3 )-0 because the mod 2 addition at the input 

acts as a binary symmetric channel. From the data processing lemma 

follows that I (x? ; ) <I ( x? ;y 3 ) - 0, for i-1,2. On the other hand, from 

Zj_^-1 follows that Zj-0, independently of the actual inputs. But this 

shows that H( z . | z^ -1 )<H( z . ) or I ( z . ; z^ -1 ) >0 from which follows that 

Kz./z 3 , x?)>0 for i-1,2. 
3 l 

Now we proof the following equality: 



I(z j ;xj) = ^ I!z. ;x^|z x 1 ) , j > 0 
i-1 



(6) 



276 



Ficst we have 

Ifxj.-zi) - Kz^fxj) + I(z j; xj |z j_1 ) , j > 0. (7) 

The first term on the right hand side can be written as 

I(z j_1 ;xj) - H(xj) - H(xj|z j-1 ) , j > 0. (8) 
- H(xj) - Htxj -1 ^" 1 ) -Htxj^. |xj" 1 z3 _1 ) , j > 0. 

From the independence of the input sequences and the additional 
assumption that the initial state s Q is chosen independently of the 
input sequences, we have 

H{x 1( j |xj _1 z j_1 ) - H(x ljj |xj" 1 *'(xj" 1 ,...,x^" 1 ,s 0 )) - 

- H(x lf j |xj -1 ) , j > 0 , 

and therefore it follows that 

I{z j_1 ;xj) - H(xj) - Huj -1 ^ -1 ) -HU^Ixj" 1 ) , j > 0. 

The first term on the right hand side can be expanded as 
HUjjlxj -1 ) + H(xJ _1 ) and therefore 

r(z j_1 ;xj) - H(xj _1 ) - Huj -1 ^ -1 ) = Kz^^-xj -1 ) , j > 0. (9) 

It follows from (7) and (9) that 

I(xj;z j ) - iuj _1 ;z j_1 ) + Kz j; xj | z j_1 ) , j > 0 . (10) 

(10) can be used iteratively to get (6). This completes the proof. 
From (6) immediately follows that the expressions given in (11) below 
are equivalent to expression (1) and therefore, are an equivalent 
definition for correlation-immunity of FSM's. 

and nzjHi'*^ x Li aj " 1) - 0 £or a11 j > 0 

I( Zj; x^,x3 2 x ij _ 0 for j . o , 

where m and il , i 2 , . . . , im in (11) are defined as in (1). Note also that 
the independence definitions (1) and (2) are equivalent if and only if 
the FSM generates an i.i.d. output sequence. 



277 



III A design criterion for finite state machines 

In practice it may often be difficult to work with expression (1). In 
this section we assume that the input sequences are independent of 
each other and i.i.d. and we work out a much simpler condition. 
Theorem: 

A sufficient condition for (1) to hold is that the current state 
and every set of m current inputs x.. ^/X.„ x. ., 1 < il < i2 

< . . . < im < n, are jointly statistically independent of the current 
output symbol z j . If the PSM is a finite output memory machine which, 
moreover, generates an i.i.d. output sequence this condition is also 
necessary . 

Note that it is sufficient due to the above theorem to fulfil some 
requirements on the memoryless output-function ♦ independently on the 
chosen next-state function Y. To avoid unnecessary difficulties in 
notation the proof is given again for m»l but is easily extended to 
any m, 0 < m < n. First we have 

H(z j |xj) - H(z Q |xj) + H(z 1 |z„xj) + ... + H(z j |z j_1 xj) 
for a causal system with i.i.d. input sequences follows 

H(z j |xj) - H(z 0 |x°) + H{z 1 |z n xj;) + ... + H(z j |z j_1 x^) . 
For the FSM of Fig. 1 we have 

Htz^lxj) > H(z 0 |x 1;0 ) + H(z 1 |s 1 x 1 x ) + ... + H( Zj |SjX 1 ^) 

or 

H(z j |xj) > H(s 0 |x 1 Q ) + H(z i |x 1 i ,s i ) . (12) 

' i-1 ' 

Note that for a finite output memory machine (where the state is 
identical to some finite number of output digits) equality holds in 
(12). Now we use 

I(z j ;xj) •= H(z j ) - H(z j |xj) 

and together with (12) we obtain 

Kz^-x^) < HU^) - H(z () |x 1 ^ 0 ) - f H( z i|x 1(i ,s. ) . 

The right hand side can be further increased by using 

H(z j ) < ^H(z ; ) (13) 
i-0 " 

and therefore 



278 



Kz^-xj) < H(z Q ) - H(z Q \x 1 Q ) + f lH(z L ) - H(z i |x 1 i ,s i )] 

or 

I(z j ;xj) < Kz 0 ;x 1 0 ) + ^ I(z.;x 1 . , ^ > , (14) 
' i-1 ' 

where equality holds in (14) for a finite output memory machine which 
fulfills (13) with equality. The theorem follows immediately from the 
fact that I ( ;x li , s.^ ) - 0 is equivalent to saying that the current 
input x. . and the current state s. are jointly statistically 
independent of the current output z^ Note that the FSM of Example 1 
fulfills (1) even if the state and some inputs are not jointly 
statistically independent of the output. However, this is not a 
contradiction to the theorem because the finite output memory machine 
of Fig. 1 doesn't generate an i.i.d. sequence and therefore the 
necessary part of the theorem doesn't hold. The sequences in the 
following two examples have digits in GF(2). 
Example 2 : 

x. . 

z , 

S . , = Y( X, . ,X., . ,X, . , S . ) 

3+1 I]' 2]' 3)' 3' 

t: z .■= x. . ©x, .©s . • x, .©s . • x , . 



Fig. 3 A correlation-immune FSM with n=3, m»l. 




The above FSM is correlation-immune with m-1 for any choice of T due 
to the theorem of this section because x^j,s^ are jointly statistically 
independent of z.. for i - 1,2,3. (For every choice of x i j/Sj the 
output Zj is independently determined by the j-th digit of an i.i.d. 
sequence . ) 

Example 3 : 

The JK-FlipFlop (see Fig. 4 for a logic equivalent) is an example for a 

finite output memory machine which generates an i.i.d. sequence when 

driven by two i.i.d. input sequences. However, it doesn't fulfil the 

necessary condition given in the theorem, as can be seen from the 

corresponding function *. For s.-0 and any choice of x. . we have 

z j~ x l j an d therefore and _. are not jointly statistically 
independent of z.. 



279 




Z . 

3 



*: 



z . 




s 



1+1 - z j 



s 



Fig. 4. A finite output memory machine which generates an i.i.d. 
output sequence but is not correlation-immune. 



conclusions 



Definitions for correlation-immunity of general finite state machines 
have been discussed. The input sequences have been assumed to be 
independent of each other. It turned out that the definitions according 
to (1) and (11) are equivalent. The definition according to (2) is 
equivalent to that given in (1) if and only if the output sequence 
generated by the FSM is an i.i.d. sequence. Further, a simple 
sufficient condition for FSM's to be correlation-immune has been 
developed under the assumption that the input sequences are independent 
of each other and i.i.d. . Moreover, it turned out that this condition 
is also necessary, if the FSM is a finite output memory machine which 
generates an i.i.d. output sequence. 



The author is grateful to Dr. P. Schobi from the Institute for Signal 
and information Processing, Swiss Federal Institute of Technology, 
Zurich, for many helpful discussions and a thorough reading of the 
manuscript . 



[II R.E. Miller, "Switching Theory", Vol. II, Sequential Circuits and 
Machines, John Wiley & Sons, New York, London, Sydney, 1965. 

[2] T. Siegenthale r , "Correlation-Immune Combining Functions for 
Cryptographic Applications", IEEE Tr. on info. Theory , IT-30 , 
No. 5, Sept. 1984. 

[3] R. Rueppel, "New Approaches to Stream Ciphers", Thesis, Swiss 

Federal Institute of Technology, No. 7714, 1984. 
[4) , "How to Frustrate the Correlation Attack with one Bit of 

Memory" CRYPTO'85, Santa Barbara, Aug. 18-22, 1985. 



Acknowledgment 



References 



On the Security of PES 



Adi Shamir 
Applied Mathematics 
The Weizmann Institute 
Rehovot, Israel 
(abstract) 



The purpose of this note is to describe some anomalies found in the structure 
of the S-boxes in Che Data Encryption Standard. These anomalies are potentially 
dangerous, but so far they have not led to any successful cryptanalytic attack. 
While their significance is still unknown, they clearly demonstrate the deficiencies 
of current certification techniques and the need for provably secure cryptosystems . 

Each S-box is a mapping from six input bits ABCDEF to four output bits WXYZ. 
Even though they are visually random, they have a lot of intentional structure, 
which seems to have a positive effect on the security of DES . However, the design 
criteria used by IBM and the NSA were never made public . 

Fig. 1 describes our main observation. It circles all the WXYZ entries in 
which W«X®Y®Z = 0 (0,3,5,6,9,10,12,15). There is a clear correlation between 
this function and input bit B (which determines the left/right half of each 
S-box). Furthermore, the minorities in each half are located in such a way that 
there are exceptionally simple boolean polynomials (XOR' s of AND's) which describe 
the 64 values of W©X©Y«Z in each S-box with very small number of errors. 
A detailed description of these observations, along with possible lines of attack 
based on them, will appear in the full paper. 

Remarks : (1) The correlation between the XOR of the outputs and input bit B 
was independently observed by Matthew Franklin from Berkeley in his M.Sc. Thesis 
(submitted May 1985). I am grateful to Gilles Brassard for bringing this to my 
attention. 

(2) Preliminary analysis by Ernie Brickell and Don Coppersmith suggests 
that the observed properties of the S-boxes could be an unintentional consequence 
of some of the design criteria. 





4 14 2 
8 13 © 
2 4® 




11 
13 
2 
1 



8 
1 
11 
7 




<8> 
11 

7 

14 




Figure 1 
(continued on next page) 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 280-281, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



281 



03 1 8 14 
□ 13 4 7 
© 14 7 11 

13 8© 1 




7 2 13 

©10 

J) 8 © 
11 © 7 02 




(Q> @ Q 14 

13 7 (3) 
13 © 4 
1 00) 13 





7 11 4 2 8 
14 Q 11 <0> 1 ^ 





2 8 ® 11 Q3 4 QJ 

7 2 @ 1 © 14 (J 

1 ® 14 (jj) 2 8 4 

4 © 11 Of) 7 2 14 



2(0)4 1 7 (Q) 11 <g 

^ 14 11 2 (O) 4 7 13 1 

4 2 1 11 (O) 13 7 8 

11 8 CO) 7 1 14 2 13 




§i@a3 ® 2 

O 4 2 7 © 

14 © j|) 2 8 

4 © 2 QJ) © © 




f3) 13 Q) 4 14 7 @ 11 
16) 1 13 14 (5) 11 @ B 4-<ft) 
~ 1 13 11 © ^ 



11 14 1 7 © Cg) 8 13 




/BU13 © 11 
^ 1 4 11 
© 11 13 



(0> 2 a 

o)(lj) 14 2 




13 2 8 
*1 C0> 13 



7 11 



1 14 




14 (5> (9>< 
6) 11 ® 14 
ffl 13 CD (J) 



5)©(J)®(i)(5)(6)ll 



Information theory without the finiteness assumption, II. 

Unfolding the DES 



G. R. Blakley 

Department of Mathematics 
Texas A&zM University 
College Station, Texas 77843-3368 



AMS(MOS) Subject Classifications: 

03D15, 08A99, 15A99, 20B99, 20D99, 68B99, 68C99, 94A99 



ACM CR Categories and Subject Descriptors: 
E.3, E.4, F.2.0, F.2.1, G.1.3, J. 7 



Key Words 

alphabet, arithmetic, associativity, Caesar cipher, code, codomain, 
commutativity, composite, confusion, continuous, cryptosystem, 
cyclic group, DES, diffusion, discrete, distributivity, domain, field, 
function, galois field, group, matrix, message, polyalphabet, po- 
sition, product, ramp scheme, relation, replacement, ring, substi- 
tution, sum, symbol, symmetric group, threshold scheme, toroidal 
matrix, transposition, universal algebra, vector space. 

Abstract 

The DES is described in purely mathematical terms by means 
of confusion, diffusion and arithmetic involving a group of messages 
and a group of keys. It turns out to be a diffusion/arithmetic cryp- 
tosystem in which confusion plays no role, although the S-boxes 
effect an arithmetic operation of replacement (which is sometimes 
mistaken for confusion) as an important part of the encryption pro- 
cess. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 282-337, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



283 



1. Introduction 

Group-theoretic structures appear to underly all of cryptogra- 
phy and error control. In particular, cryptosystems all appear to 
employ four groups: a group K of keys; a group A, called the alpha- 
bet, of symbols; a group P of positions which symbols can occupy; 
and a group A p of messages, i.e. functions from P to A. Every 
cryptosystem is a pair (c, d) of self-maps of K x A p and is thus, 
from a mathematical viewpoint, a pair of very large matrices c and 
d. The coding map c turns an encrypt key k E K and a plaintext 
message m E A p into a decrypt key k E K and a cryptext message 
m E A p . The decoding map d takes the pair (k,m) as inputs and 
recovers (k, m). The keys k and k are merely inverses of each other 
in the group K. In a conventional cryptosystem the group K is 
widely known and it is easy to produce the inverse k of k. Not so 
in a public key cryptosystem. In either type of cryptosystem the 
cryptext message m depends in a complicated way on both k and 
m. 

Interestingly, all cryptosystems appear to be built up on the 
basis of just three primitives: 

(Shannon) confusion, a generalization of cryptographic 
substitution; 

(Shannon) diffusion, a generalization of cryptographic 
transposition; and 



284 

arithmetic (in the sense of universal algebra operations 
derived from the composition laws associated with the 
groups K, A, P and A p ). One extremely important arith- 
metic operation is replacement, a generalization of the no- 
tion of a cryptographic codebook. 

These notions of confusion, diffusion and arithmetic can now 
be precisely defined, and so the general definition of cryptosystem 
herein is at once less general and more abstract than the one [DI79, 
p. 398; K081, p. 28; DE82, p. 7; BE82, pp. 125-130; ME82, p. 
14-53] which appears in the literature to date. 

The DES exhibits rich structure, and is therefore a good exem- 
plar of this approach to cryptography. The four groups in question 
are as follows. The alphabet group A is the field A = GF(2) = Z/2Z 
with two elements. The group P of positions is the ring P — Z/64Z 
of integers modulo 64. Hence the group A p of messages is the 64- 
dimensional vector space A = (Z/2ZY 1 ' of 64-bit words. The 
key group K is a 56-dimensional vector subspace of A p . When DES 
is expressed in these terms it becomes clear that it uses no confusion 
at all, merely diffusion and arithmetic. However, part of the arith- 
metic is a unary operation based on the S-boxes. Unary operations, 
replacements in our terminology, are reminiscent of confusions and 
are often mistaken for them. 



285 

2. Messages, codes, cryptosystems, confusion, diffusion, 
arithmetic 

This paper continues and refines the approach begun in [BL83; 
BL85b]. The idea is to reformulate information-theoretic objects 
such as codes (both error-control codes and cryptographic codes) 
ciphers, cryptosystems, and ramp schemes [BL85a] in terms of group 
theory. By this means we hope to produce many new objects (both 
continuous [BL87] and discrete) of the sorts described above, as well 
as to gain a deeper understanding of the existing ones. 

As far as cryptography goes, the idea is to define a message as 
a map m : P — > A from a group P of symbol positions to a group 
A of alphabetic characters (i.e. symbols). A map between groups 
might be expected to be a group homomorphism. If the groups 
are topological groups it might be expected to be continuous. But 
cryptosystem designers often try to avoid "nice" algebraic, analytic 
or probabilistic structure. Even if messages (i.e. members of A p ) 
have significant algebraic, analytic or probabilistic structure, cryp- 
tosystems are often built so as to have as little such structure as 
possible. The set A p is a group in a natural manner induced by 
the group structure on A. Composition of maps is indicated by the 
o operation symbol everywhere below. Thus do c is the map d fol- 
lowing the map c, and d * c is the product of d and c if a natural 
product operation * exists. 



286 

Definition 2.1: Let if, A and P be groups. We call A the alphabet. 
We call P the group of symbol positions. We call A p the group of 
messages. We call K the group of keys. A cryptosystem on A p 
with keyspace if is a pair of maps 

c : if x A p if x A p 

d : if X A P — if X A p 

such that 

{d o c)((fc, m)) = d(c((fc, m))) = (fc, m) 

for all (fc,m) G if x A p . 
If we write 

c((fc, m)) = (fc, m) 

it seems usually to be true that fc does not depend on m, but is 
merely the inverse of fc in whatever arithmetic is natural on K. In 
DES we have 

k = — /u 

in a vector space if over GF(2), whence — fc = k. In RSA we have 
[BL85b, p. 332] 

fc = fc -1 mod A(p * q) 

in a ring Z/X(p * q)Z in which fc is invertible. In a simple substi- 
tution cipher the decode key fc is the permutation inverse fc -1 of 
the encode key fc 6 SYM(A). Here, as in [K081, p. 65], we use 
the notation SYM(A) for the symmetric group on the set A, i.e. 



287 

the group of all permutations of A. In a transposition cipher we 
similarly have fc = A; -1 G SYM(P) . The cryptext message m, on 
the other hand, seems always to depend on both k and m. In fact 
cryptosystem designers often have to force some mutual compati- 
bility on the group structures of A p and K in order to make this 
dependence easy to calculate. 

Definition 2.1 can certainly be generalized. We have assumed 
that the set A p of plaintext messages is the same as the set of 
cryptext messages. This' is often true, but doesn't have to be. 

In short, a cryptosystem is a pair of matrices whose entries are 
chosen from the set of their (common) indices. This matrix struc- 
ture does not necessarily make a cryptosystem easy to reconstruct 
or cryptanalyze. DES, for example, can be viewed as a 2 56 by 2 64 
matrix with entries chosen from GF(2) 56 x Gi r (2) 64 . Sometimes 
it is preferable to regard DES as a 2 64 by 2 s4 matrix with entries 
chosen from GF(2) 64 x GF(2) 64 , as we shall see in Section 3 below. 
An RSA is typically a ip(X(p* q)) by p* q matrix with entries chosen 
from 

K X A p = [Z/<f>{\{p * q))Z\ X [Z/p * qZ], 

where the primes p and q exceed 2 250 . 

Our thesis is that all known cryptosystems are built using only 
three notions: confusion, diffusion, and arithmetic. Confusion (a 



288 



generalization of substitution) is a selfmap 

s : A -> A 

of A or even merely a binary relation s on A. In other words a 
confusion acting on a message m : P — > A is a member s of the 
power [HA60, p. 100] set 2 AxA . But often a confusion is a member 
s of A A . There is a well known canonical injection 

i:A A -*2 AxA . 

So the s G A A definition is just a (most commonly encountered) case 
of the s 6 2 AxA definition. Actually we are sometimes driven even 
further than this (e.g. when we have to describe [BL85b, pp. 322- 
326] polyalphabetic substitutions [DE82, pp. 73-87] and one-time 
pads [DE82, pp. 86-87]). So our final definition of confusion is a 
family s of members of A A , or even of members of 2 AxA . In ultimate 
generality, then, we have 

Definition 2.2: Let A and P be groups. We call A p the group of 
messages. A confusion on A p is a family 

s ; / _> 2 AXA 

of binary relations on A. In particular, a family 



289 



of self-maps of A is a confusion on A p . Here, / is any index set. If 
/ is a singleton and 

a:I-+ SYM(A) 

then s is a monalphabetic substitution on A p . 

Here, as above, SYM(A) is the group of permutations of A. 
Clearly 

SYM(A) c A A C 2 AXA . 

Similarly 

SYM(F) C P p C 2 PxP . 

Thus, by analogy with the definition of confusion, we have 

Definition 2.3: Let A and P be groups. We call A p the group of 
messages. A diffusion on A p is a family 

i:J _ >2 PxP 

of binary relations on P. In particular, a family 

t : J - P P 

of self maps of P is a diffusion on P. Here J is any index set. If J 
is a singleton and 

t : J -> SYM(P) 

then i is a transposition on A p (or, at worst, an anagram on A p ). 



290 

This time the idea is that a diffusion acting on A p is a selfmap 

t:P^P 

of P or, at worst, a family of binary relations on P. As before, we 
allow the possibility of an entire family of self-maps of P, or even 
of an entire family of binary relations on P. Even such an object is 
called a diffusion. 

The word arithmetic is taken in the sense of universal algebra 
[GR68]. Nullary, unary, binary, ternary, . . ., qary, ... operations 
on the alphabet A (i.e. the set of "symbols" used) are arithmetic. 
So are such operations on the group P of symbol positions, on the 
group K of keys, on the group A p of messages, or on the group 
K X A p . A particularly important type of arithmetic is a unary 
operation on A p , i.e. a map 

r : A P -*A P . 

Definition 2.4: Let A and P be groups. We call A p the group of 
messages. A replacement on A p is a unary operation on A p , i.e. a 
map 

r : A p - A p . 



Definition 2.5: Let G be a group. The following objects are arith- 



291 



metic on G: 

miliary operations h : {(f)} — ► G 

unary operations u : G — + G 

binary operations b : G X G — > G 

ternary operations y: GxGxG—>G 



qary operations g:GxGx...xG->G. 

In this way we have defined arithmetic on the following struc- 
tures related to a cryptosystem: 

the group P of symbol positions; 

the group A of symbols (the alphabet); 

the group K of keys; 

the group A p of messages; 

the group K x A p . 

Usually arithmetic on A p is induced by arithmetic on A, or 
arithmetic on P, or both. For example, if 6, c G A p then we have 

b : P —> A 
c:P-^A. 

Let V:ixA-+Abea binary operation on A. Then V induces 
a natural binary operation (which, by the usual abuse of notation, 



292 



we will also call V) on A p . We define V : A p X A p — *• A p by 
subjecting 

bVc : P -> A 

to the requirement that 

(6Vc)(p) = 6(p)Vc(p) 

for every p G P. If A is a field then A p is a vector space over A. 
Its dimensionality is the cardinality of P. 

Since a replacement is a unary operation on A p , it follows that 
the notion of replacement is logically superfluous, being a special 
case of arithmetic on A p . But we will nevertheless use the "re- 
placement" terminology because this particular special case arises 
so often, and corresponds to the classical cryptographic notion of 
codebook. 

There are a lot of groups K, A, P. So there are a lot of matrices 

c : K x A p — > K x A p 

The thesis this paper presents is to the effect that people who build 
cryptosystems always gravitate toward those matrices c which arise 
simply and naturally out of just confusion on A p , diffusion on A p , 
and arithmetic on A, on P, and on A p . This often means they 
must forcibly relate K to A, or even to A and P in some, not 
always natural, manner. 



293 

An analogy to the thesis we present might be Cayley's theo- 
rem: If you want to understand groups, it suffices to understand 
permutations. There is probably no "Cay ley theorem" to the effect 
that, if you want to understand cryptosystems, it suffices to look 
at confusion/diffusion/ arithmetic cryptosystems. But our "Cay- 
ley thesis" (to the effect that people have never departed from the 
confusion/diffusion/arithmetic methodology so far in building cryp- 
tosystems) can have uses. If it is false, what is a historical coun- 
terexample? If it is true, why do people tend to do this? Either 
way, it is now possible to produce numerous useful cryptosystems 
using the confusion/diffusion/arithmetic methodology. It should be 
possible to exploit it to produce a taxonomy of cryptosystems. Will 
such a taxonomy be useful to cryptanalysts? To cryptosystem de- 
signers? Can we produce novel useful cryptosystems which are not 
confusion/diffusion/ arithmetic cryptosystems? 

3. An overview of DES as a confusion/diffusion/arithmetic 
cryptosystem 

The highly structured DES is a good example of how the con- 
fusion/ diffusion/ arithmetic approach to cryptosystem structure 
works. Recall that arithmetic includes replacement (a unary opera- 
tion on the message group A p ). It also includes constants (miliary 
operations) and binary operations on the collection K of keys, on 
the domain P of the collection of messages, on the codomain A of 



294 

the collection of messages, on the collection A p of messages itself 
(though this last is usually induced by a related operation on the 
codomain A), and on the cartesian product K x A p of the key 
collection with the message collection. 

The standard descriptions [BE82, pp. 267-285; DE82, pp. 91- 
97; K081, pp. 240-249; ME82, pp. 141-165] of DES describe its 
underlying structure in a hybrid terminology which mixes math- 
ematical, mechanical and electrical metaphors. Moreover, though 
the descriptions in [BE82; DE82; K081; ME82] are logically equiv- 
alent, they are not the same in detail. In particular it is common- 
place to index rows and columns of 5-boxes by the set Z/1§Z — 
{0, 1, 2, ... , 14, 15} . But Konheim goes on to use 0 as the index of 
the first element of every set he encounters, whereas Denning often 
uses 1 as the index of the first member of a set. We invariably follow 
Konheim 's [K081] usage herein. 

Our description will be written in a top-down fashion. This 
section will give a brief unmotivated overview of how to describe 
DES in confusion/diffusion/arithmetic terms. Sections 4-9 will then 
go into the details. Our indebtedness to [DA84] should become 
obvious. We start by defining the notion of toroidal matrix. A 
matrix over a ring R is, of course, a function 

M : B xC -»• R 

whose domain is a cartesian product, B xC and whose codomain is 



295 

the ring R. If both B and C are cyclic groups one thinks intuitively 
geometrically of the matrix M as an array of numbers written on 
a bagel, rather than as a bunch of numbers written in a rectangle. 
This attitude is very natural and helpful in following our description 
of DES below. Consequently we will often use the phrase "toroidal 
matrix" to direct the reader's attention to the fact that the cartesian 
factors B and C of the index set B x C of M are both cyclic groups 
whose cyclic structure is explicitly or implicitly used in constructing 
or manipulating M . 

We will adopt the abbreviation 

A = (^/2^) l(^/96^,x(i!/2^,1 

for the vector space of all 96 by 2 toroidal matrices with entries 
belonging to the field Z/2Z , as well as the abbreviation 

D = (Z/96Z) x {Z/2Z) 

for the index set of these matrices. Thus we have 

A = {Z/2Z)°. 

The description of DES starts with a plaintext message block 
m : Z/64Z Z/2Z 
i.e. a 64-bit word, and a key 

k : Z/Q4Z Z/2Z 



296 

i.e. another 64-bit word. This latter word is formed in such a 
manner [DE82, p. 96] that the values of k on the set 

X = {Z/64Z) n (7 + BZ) = {7, 15, 23, 31, 39, 47, 55, 63} 

are determined by its values on the rest of Z/6AZ. 

Use the initial permutation [DE82, pp. 91-97; K081, pp. 240- 
249; ME82, p. 155-160] IP and the bit-selection table [DE82, pp. 
92-94; K081, pp. 241-242; ME82, pp. 156-160] E to form a modified 

message 

m : Z/96Z x Z/2Z Z/2Z 

i.e. a member of the set A of toroidal 96 by 2 matrices of zeros and 
ones. 

The modified message m (which we will call a DES internal 
message) is formed from m by means of a pure diffusion operation 

7t : D -> Z/MZ, 

followed by multiplication by a constant matrix w G A, so that 

m — w * (m o 7r). 

The transition from fn to m by means of the initial message diffusion 
7r and the constant matrix w is key-independent and has no secrecy 
aspect. In other words m may be secret but does not depend on k. 
But 7T is neither secret nor dependent on m or k. The surjection tx is 



297 



naturally associated with a certain 64 dimensional vector subspace 
II of the 192 dimensional vector space A. 

The map tt is a surjection but not an injection. Therefore 
[MA67, p. 9] it has no left inverse function but has many right 
inverse functions. Using the IP -1 map [DE82, p. 92] we can easily 
fix upon a distinguished member of this set of right inverses, call it 
7r -1 , which faithfully represents the map JP _1 , and which correctly 
reformats messages after the sixteen round operation of DES. 

Independently of all this initial reformatting of the plaintext 
message m so as to produce m, use the permuted choices (or so- 



called key permutations) [DE82, pp. 96-97; K081, pp. 245-247; 
ME82, pp. 153-160] PC-1 and PC-2 in conjunction with the key 
schedule of left shifts [DE82, pp. 96-97; K081, pp. 245-247; ME82, 
pp. 153-160] to turn the key k into a modified key 



i.e. a list (fc[0], fc[l], . . . , fc[15]) of sixteen 96 by 2 toroidal matri- 
ces This modified key k (which we will call a DES internal key) is 
formed from (the external key) k by means of sixteen pure diffusion 
operations 



k : Z/16Z — > A , 



: Z/9QZ x Z/2Z -> Z/64Z, 



i G Z/16Z, and a constant matrix v G A so that 




298 

We thus write k as a list 

k = (k[0], k[l], ...,k[15}) 
= {v* (ko<f>[0]),v*(k.o<f>[i\), v * (k o cf,[15})) 

of sixteen members of A. The sixteen functions d>{0}, 4>[1], . . . , 0[15] 
are all naturally associated with a certain 48 dimensional vector 
subspace $ of A. 

The transition from k to k by means of the initial key diffusion 
<f>[i] and the constant matrix v has no secrecy aspect. In other 
words k may be secret, but does not depend on m. Moreover none 
of v , </>[0], <^[l], - • - , </>[15] are either secret or dependent on m or 
k. 

At this point we have m 6 A and k 6 A . With these 
seventeen 96 by 2 toroidal matrices of zeros and ones at our disposal 
we can describe the 16-round internal structure of DES very simply. 
Note that everything done so far is possible without performing any 
rounds of the DES. It depends only on the message block m and 
the key k. 

The round [DE82, pp. 92-96; K081, pp. 240-248; ME82, pp. 
141-142, 156-160] in DES is a map 

p:$xn-»n 

with the property that the restriction p\j. of p to {/} X II is (well, 
amounts to, in the obvious fashion) a permutation of II for every 



299 



matrix / G <&. We can say, if we choose, that the round, p of DES is 
a family 

p = {p\ f :f£$} 

of replacements of II. 

The round p can be further analyzed. In fact, 

p(x, y) = u * [y o a) + (a(x + v * y)) o a 

for every x,y G A. Here the plus sign + denotes the natural vector 
space addition on the vector space A. Just add entrywise modulo 
2. The times sign * denotes entrywise multiplication (not matrix 
multiplication) of 96 by 2 toroidal matrices. The map 

a : A -> A 

is a replacement corresponding to the action of the S-boxes [DE82, 
pp. 92-96; K081, pp. 243-244]. The range £ of a is a 64 dimensional 
vector subspace of the 192 dimensional vector space A. The map 

a : D -»• D 

is a diffusions, i.e. is a self-map of the 192-element set D of ordered 
pairs which constitutes the domain of a modified message m £ A. 
The matrix u £ A is a constant. 

Note, at this point, that this description of DES does not speak 
of 16 rounds. There is just the round p. The round p is done sixteen 



300 

times in succession with (presumably) different input pairs. But it 
is just one map, not a list of 16 maps. It has no secrecy aspect. It 
does not depend on m or k. The action of DES in the key-setting 
k on the message m is thus 

[p(fc[15], p(k{Ul p{. . . , p{k[2], p(fc[l], p(k[0],v* (moTr)))) . . .)))] ox" 1 

where v £ A is a constant and 

p(x, y) = u * (y o a) + {o{x + v * y)) o a. 

Let us make this more explicit. Start with three fixed 96 by 2 
toroidal matrices 

u:D-+ Z/2Z 
v : D Z/2Z 
w.D^ Z/2Z 

These three fixed members of A can be viewed as nullary operations 
on A. There is one fixed replacement 

a : A A. 



It can be viewed as a unary operation on A. There are two fixed 
binary operations on A, namely 

+ : A x A -»• A 



301 

There are seventeen fixed initial diffusions 

tt:D^ Z/Q4Z 

<f>[0] : D -»• Z/Q4Z 

<f>[l] : D Z/64Z 

<f>[15] : D -» Z/64Z 
There is one fixed terminal diffusion 

7T _1 : Z/6AZ -> D. 

Note that the injection x _1 is one of the many right inverses of the 
surjection tt. There are no left inverses of it. There is an internal 
diffusion 

a : D -> D 

which takes place internal to the round. There are no confusions, 
i.e. no selfmaps of the alphabet Z/2Z which are composed on the 
left of any symbols such as k, k, m, m, u, v, w or a. We shall see, 
later that the diffusion a makes use of selfmaps of Z/2Z. However 
the Z/2Z this self-map acts on is not the alphabet, but rather the 
second cartesian factor in the cartesian product 

Z/96Z x Z/2Z = D. 

which constitutes the domain, not the codomain of a message. 
Hence these latter selfmaps are diffusions, not confusions. 



To employ the k key-setting of DES on the plaintext message m, 
one proceeds as follows to build a list of 17 members of A, followed 
by one member of Z/2Z ^ : 
q{0] = w * (m o x); 

q[l] = u * [q[0] oa) + (o(ko <£[0] + v * q[0])) o a; 
q[2\ = u * [q[l] oa) + {a(k o <f>[l] + v* q[l])) o a; 

q[U] =u* (q[iZ} oa) + (a(k o ^[13] + v * g[13])) o a; 
9 [15] = u * (<j[14] o a) + (a(k o ^[14] + v * <z[14])) o a; 
g[16] = u * (g[15] o a) + {a(k o <£[15] + u * g[15])) o a 
y — q[lQ] o 7T _1 . 
4. The initial permutation IP and its inverse 

Permutations will be written as products of disjoint cycles. For 
example 

0 = (1,5,2,3)(4,6)(7) = (7)(4,6)(5,2,3,1) 

is the function 0 such that: 0(1) = 5; 0(2) = 3; 0(3) = 1; 0(4) = 6; 
0(5) = 2; 0(6) = 4; 0(7) = 7; 

The initial permutation IP [DE82, p. 92] can be factored 
[DA84, p. 190] into disjoint cycles of lengths 1,2,3 and 6 in the 
following fashion. 

IP = l[U[j}, 



where the product is over j G {0, 1, 2, 3, 4, 5. 6, 8, 10, 11, 13, 18, 21, 42}, 
and 



U[0] 


= (0,57,54,12,27,39) 


U[l] 


= (1,49,52,28,31,7) 


U[2] 


= (2,41,50,44,26,47) 


U[3] 


= (3,33,48,60,30,15) 


U{4] 


= (4,25,55) 


U[5] 


= (5,17,53,20,29,23) 


U[Q] 


= (6,9,51,36,24,63) 


U[&] 


= (8,59,38) 


mm 


= (10,43,34,40,58,46) 


U[U] 


= (11,35,32,56,62,14) 


U[1Z] 


= (13,19,37, 16,61,22) 


U[18) 


= (18,45) 


U[21] 


= (21) 


U[42] 


= (42) . 



[DA84, pp. 189-191] contains a very complete discussion of IP from 
a variety of viewpoints and we will not consider it further, other 
than to note that (4), (5) and (7) in [DA84. p. 190] all express 
IP and IP~ 1 in various ways in terms of Z/2Z arithmetic, the 
group SYM(Z/6Z) of symmetries of a 6-member set, and GF(64) 



304 



arithmetic. 

5. The initial diffusions which turn a 64-bit plaintext mes- 
sage block m into a DES internal message m. 

Let 

A = [Z/96Z] n [(1 + 3Z) U (0 + 12Z) U (11 + 12Z)] 
= {0, 1, 4, 7, 10, 11, 12, 13, 16, 19, 22, 23, 24, 25, 28, ... , 
67, 70, 71, 72, 73, 76, 79, 82, 83, 84, 85, 88, 91, 94, 95} 
D = Z/96Z x Z/2Z 
Q = Ax Z/2Z 
G = A x {0} 
F = Ax {1} 

L = [{Z/96Z) n (1 + 3Z)] x {1} 

X= (Z/64Z) n (1 + 3Z)] x {1}. 
Then, clearly, 

cardinality (A) = 32 + 8 + 8 = 48 
cardinality (D) = 96 * 2 = 192 
cardinality (Q) = 48 * 2 = 96 
cardinality (G) = 48 * 1 = 48 
cardinality (F) = 48 * 1 = 48 
cardinality (L) = 32 * 1 = 32 . 



305 

We define v : F — »■ L by setting 

!/(/) = / if/ef 

i/((12t,l)) = (12t-2,l) 
^((12*-l,l)) = (12i + l,l) 
if i e Z/8Z. See Table 5.1 below. 

It is evident that v is a 3 to 2 surjection. We define several 
vector spaces over trie field GF(2) = Z/2Z. Let 

A - (Z/2Z) D 

n = {de A : <*(i,y) =0 ifigA} 

T = {qell:q(i,j) = 0 if j # 0} 

$ = {gen:g(i,y)=0 if J / 1} 
Thus IT is the vector subspace of A consisting of all 96 by 2 toroidal 
matrices whose support is Q. Similarly V is the vector subspace of 
IT consisting of matrices supported on A x {0}, and $ consists of 
all matrices supported on A x {1}. Also we need 

It = {q E IT : q(12t - 2,j) = q{12t,j) and 

q{12t - - q(l2t + 1, j) for every t e Z, every j <E Z} 

f = nnr 
$ = nn$. 

Clearly we have II = T 0 $ and n — f © Table 5.2 below 
describes dimensionalities and subspace relationships among these 
7 vector spaces. 



306 

We also need the masks w,u and v which turn members of A 
into members of IT, T and $ respectively. The vector w G IT has as 
many entries equal to 1 as a member of IT can have, i.e. 

w(z,j) = l if Six Z/2Z 

— 0 otherwise 



Similarly u GT, 



and v G 



Evidently 



u(i,y)=l if(*\j)€EAx{0} 
= 0 otherwise 

v(i,j') = l if {i,j) G A X {1} 
= 0 otherwise 

■u * v = 0 
it * w = tt 

u * w — v 
u + v = w 

Also, for any d G A we have 

u*d=d*uET 
v*d = d*vE<& 
w*d = d*w£H 

We will set up a bijection between IT and the space of all 64-bit 
plaintext DES words. Then we will proceed in the spirit of [DA84] 



307 

and do all further DES operations in II. The larger vector space 
A arises naturally from an attempt to make the data expansion 
effected by the bit selection [DE82, p. 93] table E and the workings 
of the DES round more simple. 

The initial [K081, pp. 240-242] permutation IP and the bit- 
selection [DE82, pp. 93-94] table E are two of the diffusions used to 
reformat a 64-bit plaintext message block for internal use by DES. 
In the treatment below it will be part ofthe conversion of a plaintext 
message block 

m€(Z/2Z) Z/64Z 

into an internal DES message m G A. Tables 5.3 and 5.4 below give 
the values of 7, ¥, ir.moi = mo IP oW,w and m = w * (m o it) . 
All of them are displayed as 96 by 2 toroidal matrices. 
The diffusion 

is the identity permutation of D, represented as a matrix. It is 
shown to give the reader a clear picture of where the (j\ j')th entry 
of each of the matrices shown is located. The diffusion 

tt = IP o w : D -> Z/64Z 

is a 3-to-l surjection, represented as a matrix The map 

77i o 7T = rri o IP 0 tt : D —>■ Z/2Z 



308 

is a member of A, and is represented as a matrix. The miliary 
operation (i.e. constant, or mask) w £ A is represented as a matrix. 
The entrywise product 

p = w * (m o tt) = w * (m o JP o 7f) 

is represented as a matrix. An entry of this matrix w * (m o 7r) 
must be zero if the corresponding entry of w is zero. Other entries 
of w * (m o ?r) can also be zero (for example the (0,0)th entry of 
w * (m o tt) is zero if m(7) = 0). Its left column consists of the 
entries indexed by indices of the form (0,j) G D, and amounts to a 
48-bit left-half word. Its right column consists of the entries indexed 
by pairs of the form £ D, and amounts to a 48-bit right half 

word. There are relationships among its rows. Thus 

row 0 = row 94 
row 12 = row 10 
row 24 = row 22 

row 72 = row 70 
row 84 — row 82 

also 

row 11 = row 13 



row 23 = row 25 



309 



row 35 = row 37 

row 83 = row 85 
row 95 = row 1 

Hence 32 of the rows of w * (mo7r) determine all its rows. See [DA84, 
pp. 191-192] for an arithmetical description of the bit selection table 
E. Our approach is similar but we spread the bits of the initial 64- 
bit message more uniformly through a larger array. 

We note that 7f and 7T = IP o W are single matrices. But the 
collection 

{w * (m o tt) :me {Z/2Z) } 
is a 64 dimensional subspace of A. 



310 

1/(0,1) = (94,1) 

KM) = (l,l) 

K4,l) = (4,1) 

^(7,1) = (7,1) 
i/(10,l) = (10,1) 
1/(11,1) = (13,1) 
i/(12,l) = (10,1) 
1/(13,1) = (13,1) 
1/(16,1) = (16,1) 
1/(19,1) = (19,1) 
i/(22,l) = (22,1) 
i/(23,l) = (25, 1) 
1/(24,1) = (22,1) 
1/(25,1) = (25,1) 
i/(28,l) = (28,1) 

i/(83,l) = (85,1) 
1/(84,1) = (82,1) 
i/(85,l) = (85,1) 
i/(88,l) = (88,1) 
1/(91,1) - (91,1) 
1/(94,1) = (94,1) 
f(95,l) = (1,1) 

Table 5.1. The 3 to 2 surjection v : F — + L 





dimension 














of space 


Is the 


: space at left a s 


mbspace of the 


space 


at left 


space 


below? 






A 


192 


yes 










n 


96 


yes 


yes 








n 


64 


yes 


yes 


yes 






r 


48 


yes 


yes 




yes 




f 


32 


yes 


yes 


yes 


yes 


yes 


$ 


48 


yes 


yes 






yes 


$ 


32 


yes 


yes 


yes 




yes yes 






A 


n 


n 


r 


f $ $ 



Table 5.2 



312 



(0,0) 


(1,0) 




31 


63 




7 


a 

SJ 


(0,1) 


(1,1) 




n 


39 




^7 

O i 


=56 


(0,2) 


(1,2) 
v > y 




31 






7 

i 


R 
u 


(0,3) 


(1,3) 
v > y 




n 

u 


32 




57 


56 


(0,4) 


(1,4) 

v. , y 




1 


33 




49 


48 


(0,5) 


(1,5) 




2 


34 

t_y» i 




41 


4D 


(0,6) 


(1,6) 




1 


33 




49 


48 

i Ly 


(0,7) 


(1,7) 

v. ' y 




2 


34 




41 


40 


(0,8) 


1,8) 




1 


33 




49 


48 


(0,9) 


1,9) 




2 


34 




41 


40 


(0, 10) 

\ * J 


(1,10) 






35 




33 


32 


(0,11) 


(i.il) 




4 


36 




25 


24 


(C\ 1 91 


f 1 191 




3 


35 




33 


32 


(0,13) 


(1,13) 




4 


36 




25 


24 


(0,14) 


(1,14) 




3 


35 




33 


32 


(0,15) 


(1,15) 




4 


36 




25 


24 


(0,16) 


(1,16) 




5 


37 




17 


16 


(0,81) 


(1,81) 




26 


58 




45 


44 


(0,82) 


(1,82) 




27 


59 




39 


38 


(0,83) 


(1 83) 




28 


60 




31 


30 


(0,84) 


(1 84) 
V x , "^y 




27 


61 




39 


38 


(0,85) 


(1 85) 




28 


60 




31 


30 


(0 86) 


(1 86) 




27 


61 




39 


38 


(0,87) 


(1, 87) 




28 


60 




31 


30 


(0,88) 


(1, 88) 




29 


61 




23 


22 


(0,89) 


(1 89) 




30 


62 




15 


14 


(0,90) 


(1,90) 




29 


63 




23 


22 


(0,91) 


(1,91) 




30 


62 




15 


14 


(0,92) 


(1,92) 




29 


63 




23 


22 


(0,93) 


(1,93) 




30 


62 




15 


14 


(0,94) 


(1,94) 




31 


63 




7 


6 


(0,95) 


(1,95) 




0 


32 




57 


56 



7, the identity on D n ir = IP o n 



Table 5.3 



313 



m(7) 


m(6) 




1 


1 


f 


m(7) 


m(6) 


m(57) 


m(56) 




1 


1 




m(57) 


m(56) 


m(7) 


m(6) 




0 


0 




0 


0 


m(57) 


m(56) 




0 


0 




0 


0 


m(49) 


m(48) 




1 


1 




m(49) 


.m(48) 


m(41) 


m(40) 




0 


0 




0 


0 


ra(49) 


m(48) 




0 


0 




0 


0 


m(4l) 


m(40) 




1 


1 




ro(41) 


m(40) 


m(49) 


m(48) 




0 


0 




0 


0 


m(4l) 


m(40) 




0 


0 




0 


0 


m(33) 


m(32) 




1 


1 




m(33) 


m(32) 


m(25) 


m(24) 




1 


1 




m(25) 


m(24) 


m(33) 


m(32 




1 


1 




m 33 


m(32) 


m(25) 


m(24) 




1 


1 




m(25) 


m(24) 




TYi^Oil J 




n 
U 


(J 




n 
u 


u 








0 


0 




n 
u 


n 
u 








1 


1 








• 

m(45) 


m(44) 




0 


0 




. 

0 


0 


m(39) 


m(38) 




1 


1 




m(34) 


m(38) 


m(31) 


m(30) 




1 


1 




m(31) 


m(30) 


m(39) 


m(38) 




1 


1 




m(39) 


m(38) 


m(31) 


m(30) 




1 


1 




m(31) 


m(30) 


m(39) 


m(38) 




0 


0 




0 


0 


m(3l) 


m(30) 




0 


0 




0 


0 


m(23) 


m(22) 




1 


1 




m(23) 


m(22) 


m(15) 


m(14) 




0 


0 




0 


0 


m(23) 


m(22) 




0 


0 




0 


0 


m(15) 


m[l4) 




1 
1 


1 

I 




m[loj 


m[l / ±) 


m(23) 


m(22) 




0 


0 




0 


0 


m(15) 


m(14) 




0 


0 




0 


0 


m(7) 


m(6) 




1 


1 




m(7) 


m(6) 


m(57) 


m(56) 




1 


1 




m(57) 


m(56) 


m o n — 


m o IP o 7r 




w 


u; * (m o IP o " 



Table 5.4 



314 

6. The initial diffusions which turn a 64-bit external key 
block k into a DES list of k sixteen internal keys. 

The permuted [K081, pp. 245-247] choices PC - 1 and PC - 2 
are initial diffusions which will be used in this paper to help turn a 
56 bit external DES key block 

k C {Z/2Z) Z/64Z 

into a list 

k=(k[0],k[l},...,k[15}) 

of sixteen internal DES keys belonging to the 48 dimensional vector 
subspace $ of the 192 dimensional vector space A. We will follow 
[DE82, p. 96] in regarding PC — 1 as an injection of the 56 member 
set Z/64Z\X into a 64 member set Z/64Z rather than as a per- 
mutation of the 56-member set Z/Q4Z\X. As always, however, we 
will follow [K081] in starting our indexing with 0, rather than with 
1. The table of DES key schedule shifts also plays a part in the 
process of converting a conventional DES key into a list of internal 
keys. It is necessary to perform several successive diffusions on a 
64-bit DES key k followed by an (entrywise) matrix multiplication, 
so as to produce an "internal key" , i.e. a list 

k = (k[0},k[l],...,k{15}) 

of sixteen 96 by 2 toroidal matrices which will serve as key material 
in the internal format of the round structure of DES. For each i 6 



315 

Z/l&Z the internal ith key entry k[i] will be a member of the 48 
dimensional vector subspace <& of the 192 dimensional vector space 
A of all 96 by 2 toroidal matrices over GF(2) = Z/2Z. 
We start, therefore, with the DES internal key 

k = (fc(0),fc(l),...,fc(63)) 

and recall that it belongs to a 56 dimensional vector subspace of the 
64 dimensional space of lists of 64 bits. This is because, as noted 
in Section 3, the bits fc(7), fc(15), . . . , fc(63) are parity bits, whose 
values are determined by the other 56 bits of k, the bits indexed by 
members of Z/MZ \ X. 

The index set, Z/2SZ x Z/2Z, of the set of 28 by 2 toroidal 
matrices is important enough to have its own name. So we define 

J = Z/2SZ x Z/2Z . 
And we recall, from Section 3, 

D = Z/96Z x Z/2Z. 
The first diffusion applied to k is 

V : J -> Z/64Z . 

The diffusion ip embodies the information contained in the permuted 
[DE82, p. 96] choice PC - I. Once again [DA84, pp. 195-196] 



316 

describes PC — 1 in arithmetic terms and points out its simple 
structure, which a reader can easily discover in ip. The diffusion tb 
turns k into a 28 by 2 toroidal matrix k o ip over Z/2Z. 
Then we have a list 

A = (A[0],A[1],...,A[15]) 

of diffusions 

A[z"j :J->J 

each of which replaces this 28 by 2 toroidal matrix k o ih by a "left- 
shifted" version of itself (a phrase more faithful to the matrix pic- 
ture would be "Ferris-wheeled") induced by the key schedule [DE82, 
p.96] of left shifts LS. The index set for the list A is, of course, 
Z/16Z. 

Once the 16 member list 

(k o ip o A[0], k o^oA[l],...Jo^o A[15]) 

of 28 by 2 toroidal matrices over Z /2Z has been constructed it is 
necessary to use a last key diffusion 

to produce a list 

[k o ib o A[0] o f , k o tp o A[l] o . . . , fc o ib o A[15] o f) 



317 

of sixteen 96 by 2 toroidal matrices over Z/2Z. This diffusion $ 
embodies all the information contained in the key [DE82, p. 97] 
permutation PC — 2. Finally we must multiply (entrywise) each 
of these matrices by a "mask" matrix v which is zero in 144 of its 
entries, and has the value one only in those 48 entries corresponding 
to the 48 inputs to the S-boxes [DE82, pp. 92-971. The matrix w 
is the miliary operation (mask) defined in Section 5. At this point 
we give the explicit characterizations of ^, A and g. The toroidal 
matrices ip G (Z/64Z) J and £ G J D are shown in Figure 6.1. We 
have deliberately left three fourths of the entries of f unevaluated 
(denoted by the sharp symbol Any one of them can have any 
value in J the reader desires (such flexibility may lead to some 
simplification). This is because a mask v will be multiplied by the 
matrix we are building and will leave only zeros in these places in 

k[i] = v * (k o o X[i] o = v * (k o G $ C A 

anyway. 

For each i G Z/1QZ the diffusion 

A[i] : J ./ 

is defined by setting 



A[z'](a,6) = (a + l{i),b) 



318 



where the 16-entry list t of positive integers is given by 



*= (*(0), *(!),..., *(15)) 



(1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28). 



These successive positive integers are just the successive partial 
sums of the numbers of left shift positions in [DE82, p. 96]. Note 
that after 16 rounds the 28 by 2 toroidal matrix k o ip has been 
rolled all the way around to its original position, so that no reset is 
needed before encrypting the next DES message m in the same key 
k. Note the sum, a + above. To show that it would be wrong 
to use the difference, a — we will work out Example 6.1 below. 
Now it merely remains to multiply by the mask v € $ so as to zero 
out the whole left column (the entries with second index 0) as well 
as half of the right column of k o ip o X[i] o c. We thus have 



Example 6.1: To verify that these diffusions actually faithfully 
represent the key schedule of DES let us follow kg, Ar 44 and &29 
in Konheim's [K081, p. 247] notation. Because we have kept the 
parity bits in positions 7 modulo 8 we have the correspondence 




— v * (k o <p[i]) . 



k 8 = k{9), 



k 2 Q = k(33) 



k 44 = k{50). 



We verify that 

V>((14,0))) = 9 
V>((17,0)) = 50 
V>((11,0)) = 33 

and that 

A[l]((13,0)) = (14,0) 
A[l]((16,0)) = (17,0) 
A[l]((10,0)) = (ll,0) 

and that 

?((0 I 0)) = (13,0) 
?((1,0)) = (16,0) 
? ((4,0)) = (10,0) 

Hence 

k o i, o A[l] o ? )((0, 0)) = fc(^(A[l](j((0, 0))))) 

= %(A[1]((13,0)))) 
= fc(V((14,0))) 
= fc(9) 
= A: 8 

and 

(fc o v o A[l] o f )((0,0)) = MV»(A[1](?((1,0))))) 

= fc(V>(A[l]((16,0)))) 
= *(tf((17,0))) 
= £(50) 



— ^44 



320 



and 

(k o i, o A[l] o o)((4,0)) = fcMA[l](?((4,0))))) 

= *MA[1]((10,0)))) 
= *M(11,0))) 
= £(33) 

= ^29 

And this, of course, is what can be found in [K081, p. 247] as the 
beginning of the key used in the first round of DES. 



56 62 

48 54 

40 46 

32 38 

24 30 

16 22 

8 14 

0 6 

57 61 

49 53 

41 45 

33 37 

25 29 

17 21 

9 13 

1 5 

58 60 

50 52 

42 44 

34 36 

26 28 

18 20 
10 12 

2 4 

59 27 

51 19 

43 11 
_35 3_ 

Figure 6.1 



322 



# 


(13,1) 


# 


(16,1 


# 


# 


# 


# 


# 


(10,1) 


# 


# 


# 


# 


# 


(23, 1) 




# 


# 


# 


# 


(0,1) 


# 


Kl) 


# 


(2,1) 


# 


(27, 1) 




# 


# 


# 




(14, 1) 


# 


# 


# 


# 


# 


(5,1) 


# 


# 


# 


# 


# 


(20, 1) 


# 


(9,1) 


# 


(22,1) 


# 


(18,1) 


# 


# 


# 


# 



# (11,1) 

# # 

# # 

# (3,1) 



# 


# 


# 


# 


# 


(25,1) 




(7,1) 


# 


(15,1) 


# 


(6,1) 


# 


# 


# 


# 


# 


(26,1) 


# 


# 


# 


# 


# 


(19,1) 




# 




# 


# 


(12,1) 


# 


(1,1) 


# 


(12,1) 


# 


(23,1) 


# 


# 


# 


# 




(2,1) 


# 


# 


# 


# 


# 


(8,1) 


# 


# 


# 


# 


TV 


(15, 1J 


# 


(26,1) 




(1,1) 




(11,1) 




# 


# 


# 



# (22,1) 

# # 



# 


# 


# 


(16,1) 


# 


# 


# 


# 


# 


(4,1) 




(19, 1) 


# 


(15,1) 


# 


(20,1) 


# 


# 


# 


# 


# 


(10,1) 


# 


# 




# 




(27, 1) 


# 


# 




# 


# 


(5,1) 


# 


(24, 1) 


# 


(17,1) 


# 


(13,1) 


# 




# 


# 




(21,1) 


# 


# 


# 


# 


# 


(7,1) 


# 


# 




# 


# 


(0,1) 


# 


(3,1) 



Figure 6.2 
'he top,middle, and bottom thirds 
of the 96 by 2 toroidal matrix £ 



323 

7. The DES round p, in which an internal key k interacts 
with an internal message m. 

The DES wire- crossing [DE82, p. 93; K081, p. 245] P and the 
selection [DE82, p. 94] functions, i.e. 5-boxes [K081, p. 244] are 
used in each of the sixteen actions of the DES round. We now see 
that an internal message m and an entry k[i] of an internal key list 
k are members of A. In fact 

mdcna 
k\i] elcncA. 

The round p of DES proceeds as follows. The mask v is such that 

v * m € $ C $ . 

Hence 

v * m + k[i] G $ . 

This vector v *m + k[i] is input to the replacement a corresponding 
to the 5-boxes [K091, p. 244] and, after wire crossing [K081, p. 
245] and masking, comes out as a member 5 of V. Meanwhile u* m 
(a member of T) is diffused by a column interchange to produce a 
member 8 of $. The matrix 



is the result of the round p. 



324 

We now carry out this process in detail. 

In detail the process is as follows. Before the first action of the 
round p there is an initial internal message m E II. Clearly, then 
the (entrywise) product satisfies 

v * m E 

Also there is an entry fc[0] of the internal key k. It satisfies 

fc[0] E $ . 

Consequently their (entrywise) sum also belongs to the 48 dimen- 
sional vector space i.e. 

v * m + k{0] E $ . 

We have a choice as to how we view the action of the 5-boxes in the 
context of A. We can regard this action as a replacement of A (i.e. 
as a function with domain and codomain both equal to A) which is 
independent of 144 of the 192 entries of a matrix 

v * m + fc[0] = y E A . 

We can also regard it as a function from $ to $, to be followed by 
a diffusion corresponding to wire crossing and interchange of right 
half and left half words. This latter approach seems more in keeping 
with the standard descriptions of DES and we will adopt it. 



325 



So we will start by writing 

$ = $[o]@$[i]e...e$[7] 
$ = $[o] e$[ij e ...e$[7] 

where each is 6 dimensional, each is a 4 dimensional sub- 
space of and, in fact 

$[0] = {£ e A : t(i,j) = 0 unless j = 1 

and i G {0,1,4,7,10,11}} 
$[0] = {te $[0] : t{0, 1) - 1) = 0} 

$[1] = {t e A : t(i,j) = 0 unless j - 1 

and i E {12,13,16,19,22,23}} 
$[l] = {ie*[l]:t(12,l) = i(23,l) = 0} 

$[7] = {< e A : t(i,j) = 0 unless j -I 
and t G {84,85,88,91,94,95}} 
*[7] = {t G A : t(84,l) = t(95,l) = 0} . 
The first (i.e. zeroth) 5-box determines a map 

a[0] : $[0] $[0] 

and similarlv 



326 

for 0 < % < 7. We will not describe these individual 5-box maps 
any further. The nonlinear heart of DES is thus based on the map 

<r[0] © © . . . 0 ct[7] = a : $ $ C $ 

Evidently the unary operation a is a replacement of Its working 

is 

*(/) = (^[O]©. - .®a[7l)(/[0]e. • .©/[7]) = ff[0j(/[0])©. • .©^[7](/[7]). 

In other words each .S-box works separately on its 6-bit input to 
produce its 4- bit output. 

The support of / £ A is the 48 member set F, whereas the 
support of o(f) € A is the 32 member subset L of F. To turn the 
wire crossing [DE82, p. 93; K081, p. 245] P to a diffusion which 
permutes L we introduce the permutation 

Jc = ^[Op[l] 

of Z/Z2Z where 

^[0] = (0, 15, 9, 14, 30, 3, 20, 31, 24, 18, 23, 8) 

= (1, 6, 27, 5, 11, 25, 12, 4, 28, 21, 26, 29, 10, 22, 2, 19, 13, 17, 7, 16) 

It is easy to see [DE82, p. 93; K081, p. 245] that JL embodies 
the post S-box wire crossing P and that we use it to produce the 
diffusion 



327 

such, that 

Ai(l + 3i,l) = (l + 3/z(z'),l) 
if (1 + 3«, 1) eL and 

if (j, fc) ^ L. After this we need the standard diffusion which splits 
L so as to cover F, i.e. the map 

v : F -> L 

defined in Section 5 above. 

We also need the "column interchange" (i.e. interchange of left 
and right half-words) diffusion 

defined by setting 

<*((*', i)) = (*,y + i) 

since D - Z/96Z x Z/2Z the addition takes place in Z/2Z and 
amounts to the permutation (0,1) of the set {0. 1}. 

The round of DES thus takes m G A, and splits it into u*m E T 
and v * m € $ in the sense that 

u e r 



v E $ 



328 



u*m + v*m = (u + v)*m = m€zA. 
Then k[i] is added to v * m to yield 

k[i] + v * m £ $ . 

The replacement a : <& — »• $ is then applied to yield 

tx(u * m + A;[{]) £ $ 

+ v * m) € $ . 

Then the two diffusions 

: D D 
z/ : / -> L 

are applied to c{k\i\ + v * m) to yield 

cr(k[i] + v * m) = (a(k[i] + v * m)) o jj, o v £ T 

and a is applied to m and to ct (&[?'] + v * m) to yield 

m o a £ A 

ct(A;[{] + v * m) o a ET 
Then moais masked by u £ <& to yield 

u * (m o a) 



329 

Finally, an addition produces 

u * (m o a) + (cf(k[i\ + v * m)) o/zoi/oa 
= u * (m o a) + cr(k[i] + v * m) o a 
- p{k[i],m) . 

8. The terminal diffusion n" 1 which produces a cryptext 
message in 64-bit block form. 

The final [DE82, p. 92] permutation IP~ l is one of the diffu- 
sions used to reformat an internal DES message after the sixteenth 
operation of the round so as to produce a correctly formatted 64-bit 
cryptext message block. Consider the injection 

tt" 1 : Z/64Z -* D 

defined by setting 

x- 1 = (JP- 1 ^ + 1),0) 

if 0 < t < 31, and 

TT" 1 = (/p- 1 (32 + 3t + 1),1) 

if 32 < t < 63. It is easy to verify that 7T o tt _1 is the identity 
function on Z/64Z. 



330 

9. Recap of DES from the confusion/diffusion/arithmetic 
viewpoint. 

It is clear from the foregoing that DES used only diffusion and 
replacement, no confusion. We thus seem, on a superficial reading, 
to be at odds with [DA84, p. 187] when those authors speak of "a 
representation of the DES as a cascade of substitutions and per- 
mutations." But this surface appearance of conflict is only because 
they are using intuitively plausible terminology, whereas we have set 
confusion (hence substitution) in a rigorous context which banishes 
replacement (hence the action of the S-boxes) to the realm of arith- 
metic. This is, in turn, true because we have explicitly defined the 
alphabet of symbols which DES uses, namely the 2-letter alphabet 

{0,1} = GF{2) = Z/2Z, 

and have, consequently been forced to choose 

P = Z/64Z 

as the set of letter positions in a 64-bit "message". The reader 
can object that the alphabet could be taken as the set of all A = 
(Z/2Z) (Z/642) 64-bit words. But at that level DES would merely 
be a simple substitution cipher, and no deeper analysis would be 
called for. What about regarding DES words as lists of sixteen 



331 



4-bit words, i.e. choosing 

P = z/iez 

A=(Z/2Z) Z/4Z ? 
Neither we nor [DA84] have devoted any space to explicit consid- 
eration of such a formulation of the DES, though it might prove 
interesting. 

Why didn't its designers put any confusion into DES? For one 
thing, the alphabet A used by DES is the field 

A = GF{2) = Z/2Z . 

Since A has only 2 members, we see that SYM(A) has only 2 mem- 
bers, A A has only 4 members, and even 2 AxA has only 16 members. 
A cryptosystem designer with only 16 confusion maps at his disposal 
doesn't have much running room and might be inclined to abandon 
the confusion approach for that reason. He could, however, fall back 
on a large family (i.e. a family determined by a large index set I) 



AXA 



of binary relations on A = Z/2Z. One attractive possibility is 
a polyalphabetic substitution cipher in the sense made precise in 
[BL85, pp. 322-326]. 

Another reason for shunning confusion in DES could be that 
diffusion is crypto graphically stronger, in a sense, on messages be- 

Q 

longing to (Z/2Z) , where G is a group of reasonably large order. 



332 

Consider a known plaintext attack on a 16-alphabetic substitution 
cipher acting on 16 bit messages 

m e {Z/2Zy . . 

If the cryptext version of 

m = (l,l, 1,1, 1,1,1, 1,0, 0,0, 0,0,0, 0,0) 

is m itself then all 16 alphabets have been recovered and the crypt- 
analyst has completely broken the cipher (i.e. has narrowed the orig- 
inal 2 16 possible polyalphabetic cipher keys down to 1). But if she is 
dealing with a transposition cipher and finds that the above message 
m is encrypted as itself under the cipher, she has merely narrowed 
an original 16! possible cipher keys down to (8!) 2 = 16!/12,870 
possible keys. So she has both a smaller reduction factor (12,870 
vs. 65,536) and a larger remaining collection of possible keys. 

The expansion of perspective in this paper from lists of 64 bits 
to members of the vector space A of 96 by 2 toroidal matrices over 
Z/2Z = GF(2) simplified the description of the operation of the bit 
selection table E [DE82, p. 93; K081, p. 242]. Further expansion 
of the size of the vector space beyond 192 dimensions can be used 
to simplify the description of key diffusions and, perhaps, S-boxes. 
The question is where the optimum stopping place lies. This would 
be a vector space within which most operations are very simple, but 
yet a space not too large to admit of manipulation by a cryptanalyst. 



333 

There are precedents for such an expansion of viewpoint in the 
success of tensor product methods in algebra and geometry. One ex- 
ample would be the use of multilinear maps on R n x R n x . . . x R n 
to define polynomial maps on R n . It remains to be seen to what 
extent a comparable approach will benefit cryptosystem design or 
cryptanalysis. 

By this time the general features of the confusion/diffusion 
arithmetic approach to cryptography begun in [BL85b] are fairly 
clear. In DES we see quite a lot of simple arithmetic of binary 
operations (e.g., group addition modulo 2 or modulo 28, monoid 
multiplication modulo 2) and of nullary operations (such as the 
constant matrices u, v and w belonging to the vector space A) as 
well as a little fancy (and expensive) arithmetic of unary operations 
(the map a corresponding to the 5-boxes, some expansions and wire 
crossing) and a lot of diffusion. Most of our diffusions were, in fact, 
functions. Indeed most were either injections or surjections. 

We hope at this point, to have clarified for the reader all the 
wire crossings, tables, boxes, (so called) substitutions which are re- 
ally replacements, permutations which aren't really permutations, 
left shifts, schedules, half words (which are merely columns of ma- 
trices), blocks. 

Employment of the methodology of this paper makes it pos- 
sible to exorcise lugs, pins, rotors, shift registers, grilles, squares, 



334 

wheels, . . . from other well-known cryptosystems. Not that these 
notions have served ill up to now - after all, many of them have 
been, or even still are, physically present and functioning in our 
crypto boxes, or grilles, or spools, or ... . It's just that they are 
too many, too baroque, too far from the silicon medium and too 
unlike the mathematical notions which both builders and breakers 
employ in their work on cryptosystems. Also, of course, they have 
an unnecessarily finitist influence on our ways of speaking (hence 
thinking) about cryptography. 

NSA Grant MCS 904-83-H-0002 supported this research. 

10. References. 

BE82 H. Beker and F. Piper, Cipher Systems: The Protection of 
Communications, Wiley-Interscience, New York (1982). 

BL83 G. R. Blakley and Laif Swanson, Infinite structures in in- 
formation theory, Advances in Cryptology: Proceedings of 
Crypto '82, Plenum Press (1983), pp. 39-50. 

BL85a G. R. Blakley and Catherine Meadows, Security of ramp 
schemes, in G. R. Blakley and D. Chaum, (editors), Ad- 
vances in Cryptology, Proceedings of Crypto '84, Springer- 
Verlag, Berlin (1985), pp. 242-268. 

BL85b G. R. Blakley, Information theory without the finiteness as- 
sumption, I: Cryptosystems as group-theoretic objects, in 



G. R. Blakley and D. Chaum, (editors), Advances in Cryp- 
tology, Proceedings of Crypto '84, Springer- Verlag, Berlin 
(1985), pp. 314-338. 

BL87 G. R. Blakley and W. Rundell, A cryptosystem based on an 
analog of heat flow, Technical Report, September (1985). 

DA84 M. Davio, Y. Desmedt, M. Fosseprez, R. Govaerts, J. Huls- 
bosch, P. Neutjens, P. Piret, J. -J. Quisquater, J. Van- 
dewalle and P. Woutcrs, Analytical Characteristics of the 
DES, in Advances in Cryptology, Proceedings of Crypto 
'83, D. Chaum, Editor, Plenum Press, New York (1984), 
pp. 171-202. 

DE82 D. E. R. Denning, Cryptography and Data Security, Addison- 
Wesley, Reading, Massachusetts (1980). 

DI79 W. Dime and M. E. Hellman, Privacy and authentication, 
An introduction to cryptography, Proceedings of the IEEE, 
vol. 67 (1979), pp. 397-427. 

GR68 G. Gratzer, Universal Algebra, Van Nostrand, Princeton. 
New Jersey (1968). 

HA60 P. R. Halmos, Naive Set Theory, Van Nostrand, Princeton, 
New Jersey (1960). 

H071 K. Hoffman and R. Kunze, Linear Algebra, Second Edition, 
Prentice Hall, Englewood Cliffs, New Jersey (1971). 



KI71 J. Killingbeck and G. H. A. Cole, Mathematical Tech- 
niques and Physical Applications, Academic Press, New 
York (1971). 

K056 A. N. Kolmogoroff, On the Shannon theory of information 
transmission in the case of continuous signals, IEEE Trans- 
actions on Information Theory, vol. IT2 (1956), pp. 102- 
108. 

K081 A. G. Konheim, Cryptography: A Primer, Wiley-Interscience, 
New York (1981). 

ME82 C. H. Meyer and S. M. Matyas, Cryptography: A New 
Dimension in Computer Data Security, Wiley-Interscience, 
New York (1982), Third Printing. 

LI83 R. Lidl and H. Niederreiter, Finite Fields, Volume 20 of 
the Encyclopedia of Mathematics and its Applications, 
Addison- Wesley, Reading, Massachusetts (1983). 

MA67 S. MacLane and G. Birkhoff, Algebra, Macmillan, New 
York (1967). 

MA78 F. J. Mac Williams and N. J. A. Sloane, The Theory 
of Error-Correcting Codes, North-Holland, Amsterdam 
(1978). 

ME82 C. H. Meyer and S. M. Matyas, Cryptography: A New 



Dimension in Computer Data Security, Wiley-Interscience, 
New York (1982). 

M063 G. D. Mostow, J. H. Sampson and J. -P. Meyer, Fundamen- 
tal Structures of Algebra, McGraw-Hill, New York (1963). 

NI59 H. K. Nickerson, D. C. Spencer and N. E. Steenrod, Ad- 
vanced Calculus, Van Nostrand, Princeton, New Jersey 
(1959). 

PA66 H. Paley and P. Weichsel, A First Course in Abstract Al- 
gebra, Holt, Rinehart and Winston, New York (1966). 

R064 G. -C. Rota, On the foundations of combinatorial theory, I. 
The theory of Mobius functions, Zeitschrift fur Wahrschein- 
lichkeitstheorie und Verwandte Gebiete, Vol. 2 (1964), pp. 
340-368. 



Analysis of a Public Key Approach 
Based on Polynomial Substitution 



Harriet Fell 
Northeastern University 
Boston, Massachusetts 

Whitfield Diffie 
Bell-Northern Research 
Mountain View, California 

1 Introduction 

Ever since the discovery of public key cryptography in 1975 2 , the search for public key cryp- 
tosystems has been a central theme of cryptographic research. The public key cryptosystems 5 ' 8,7 
that have been investigated during this period, however, are slower than conventional systems, re- 
quire more storage, and, being based on areas of mathematics that were not previously important in 
cryptography, have not inspired the same degree of trust as conventional systems. It would there- 
fore be desirable to develop new techniques based on principles both different from those employed 
in current public key cryptosystems and more closely allied with conventional cryptography. 

Several years ago, after the development of the public key concept, but before any plausable 
examples were known, a suggestion along these lines was made to one of the authors by John 
McCarthy of Stanford University, who said he had gotten the idea from talking with an algebraic 
geometer about birational transformations. The idea was to build inverse pairs of multivariate 
polynomial transformations by a procedure commonly employed in algebraic geometry to construct 
inverse pairs of rational transformations. 

2 The Fundamental Scheme 

Our approach is to regard the plaintext as an n-vector of elements selected from a suitable 
ring R and build an invertible polynomial transformation P of several variables from R" to R". 
The coefficients of this transformation will be the public key and the inverse transformation Q the 
secret key. Thus: 

Plaintext P Ciphertext 
x = (xi x n ) ~ (P,(r) P n {x)) 

where x\ , . . . , x„ £ R and P\,. . . ,P n are multivariate polynomials with coefficients in R. 

Assume, for example, that the plaintext is a vector of three components, x, y and z, from a 
ring R and that p 0 and pi are polynomials each in one variable over R. We can now build up a 
polynomial transformation of three variables by acting on the variables one at a time. 

In the first round, (x, y, z) is carried to: 

[x\,yi,z\] =(x,y,z + p(x, y)}. 
where p can be either po or Pi- In the second, [x\, J/i,zi) goes to: 

(xt,V2, 22) = (*i + p(j/i, 21), 2/1. *i)- 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 340-349, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



341 



The process continues: 

(*3, 23) = (*2, yz + p{x 2 , 2 2 ), 22) 

until after a number of rounds: 

P{*. V, A — i. x k-i + P(Vi-\, zt-i), Vk-i, Zk-i) 

is a nonlinear, invertible, polynomial transformation on a module, M, of dimension 3 over R. The 
secret key is the sequence of choices of p 0 or pi and the order in which they are applied to z, y, 
and z. For example: 

(*i,yi,'i) = (* + Pi(y> 
(^2,1/2,22) ={xuyi,z\+pn(xi l y\)) 

(*3, ys, ^3) = (12, n + po(x2, 22), 22) 

(i 4 , y 4 , * 4 ) == (x 3 , J/3, ^3 + +Pl(*3. 

P{z, y, 2) = ( x 5, j/5, 25) = (x4 + po(j/4, 2-t), y-t, Z<) 

The secret key is ((x, 1), (*, 0), [y, 0), (2, 1), (1, 0)). The inverse transformation can be found by using 
the key in reverse: ((1, 0), [z, 1), (y, 0), (2,0), (x, 1)), i.e.: 

(>4, tf4, 24) = (*5 - Pofjtt, 2 5 ), Jft, 25) 
(xa, Jft, 23) = (*4, V\, 24 - Pl(*4, V*)) 
and so on. 

Naturally the number of polynomials need not be limited to 2 ncr the dimension, d, of M 
over R to 3, but there is probably no virtue in using polynomials of degree other than d — 1. 

This plan offers on its face, not only plausible hope for constructing inverse pairs of transfor- 
mations, but one with very close ties to the shift register mathematics of conventional cryptog- 
raphy. The alternate transformation of variables x and y is closely analogous to alternate operation 
on the left and right halves in DES 3 . In general, the notion of modifying some components of a 
vector by adding to them functions of other components underlies all shift registers both linear 
and nonlinear 1,4 . 

A key difference between the construction of conventional cryptosystems and public key 
cryptosystems lies in the way the systems are presented to the user. A shift register cryptosystem 
is a description of the way in which the plaintext is modified incrementally throught a number of 
interations to become the ciphertext. Such a description precludes public key use because it can 
equally readily be read in the other direction as a description of how to derive the plaintext from 
the ciphertext by incremental modifications. In order to develop a public key system along these 
lines, it is necessary to simplify the equations that arise from the incremental substitution process 
in such a way as to conceal the substitutions. 

On first glance, it seems sufficient to carry out the substitutions as the process goes on. 
On second, it becomes obvious that the number of coefficients in the polynomials will grow to 
astronomical proportions after only a few interations. In order to prevent the equations from 
exploding into unusable bulk, some device must be found for eliminating most of the terms; the 
most obvious such devices are nilpotence and J-rings and these will be examined in the remainder 
of this paper. 

3 Reducing the Number of Coefficients 
3.1 Nilpotence 

A ring R is nilpotent if there is an integer k > 1 such that {R) k = {0}. That means that 
for any elements rj, . . . , r> 6 R the product r\r2- ■ nt is zero, so a multivariate polynomial with 
coefficients in R can only have meaningful terms whose total degree does not exceed k. 



342 



There is a hitch, however, in applying nilpotence in our fundamental scheme. We expect the 
scheme, described in section 2, to yield a transformation of the form: 

plaintext P ciphertext 

I = (*i »«) ~ ,/>„(!)) (3.1) 

where xi,.. . ,x„ £ R and Pi, . . . , P n have coefficients in R. Note that no transformation of this 
form can be invertible. Suppose that each P t - has constant term C,-. Let Ti(i) = Pi(x) — C 1 ,-. The 
system P is invertible if and only if the system T = (T,-, . . . ,T„) is invertible but T can never be 
invertible as Ti{x) <E {Rf^R. 

What went wrong is that although the iteration in section 2 always produces an invertible 
transformation, if we apply this iteration scheme in a ring without a unit, we do not get a 
transformation of the form (3.1) but rather one of the form: 

plaintext P ciphertext 

* = (*!,...,*„) ^ x + (P, {*),..., P„(x)) (3.2) 

Where z\,...,x n £ R and Pi,...,P n have coefficients in R. The transformation (3.1) is a 
polynomial transformation but its coefficients are not all in R as R is nilpotent and cannot contain 
a unit element. 

We can still make use of nilpotence, however. We take R to be a finite local ring, that is a 
finite commutative ring with 1 that has a unique maximal ideal /V of nilpotents. (Note R/N is a 
finite field.) The general form of the encryption transformation again becomes: 

plaintext P ciphertext 

T = (*!,..., x„) ~ (P 1 (x),...,P„(x)) (3.3) 

where x\,...,x n and Pi(x), . . . , P n (x) all lie in N. That is, P is a multivariate polynomial 
transformation from R" to R n that is invariant and invertible on iV n . The number of coefficients 
in the polynomials is restricted by the nilpotence because terms of high total degree are identically 
zero on N" and we do not care how they behave on the rest of R". The transformations generated 
by the iteration scheme of section 2 will be of this type if we choose the polynomials pi,P2, ■ - ■ to 
have coefficients in N or to have coefficients in R but constant terms in N . 

3.2 J-Rings 

Let R be a finite commutative ring. R is a J-ring if there is an integer d > 1 such that a d ^= a 
for any a £ R. A multivariate polynomial over a J-ring can be reduced to a polynomial all of whose 
terms have individual degrees < d (or total degrees < dn where n is the number of variables). 
This time the transformation will be of the form of equation (3.1). 

3.3 Upper- Triangular Matrices 

We represent the plaintext by a pair of upper-triangular matrices with entries from a finite 
ring R. The encryption transformation will be of the form: 

plaintext P ciphertext 

(X U X 2 ) - [Pi(XuXz),Fi(Xi,X 2 )) (3.4) 

where X\,X% are upper-triangular k X k matrices over R and Pi,P% have coefficients in R. If 
Mi, . . . , Mi a re upper triangular k X k matrices over R then the product Mi- ■ -Mt is zero. This 
means that the polynomials will have terms of total degree at most k — 1. As the matrices do not 
commute, there are more terms to deal with than in the commutative nilpotent case (3.1) but there 
is also hope that non-commutativity will make lower degree polynomial systems more difficult to 
invert. 



343 



k=2 k=S Jb=4 fc=S 



fc=7 Je=8 k=i k=lO k=ll t=l2 k=lS t=14 Jfc=tlB *=lfl fc=17 Jfc=18 



192 
384 



10 

320 
640 



15 

480 

960 



21 

672 

1344 



28 

895 

1792 



36 

1152 

2304 



45 

1440 

2880 



55 

1760 

3520 



66 

2112 
4224 



78 

2496 

4992 



91 

2912 
5824 



105 

3360 

6720 



120 

3840 

7S80 



136 

4352 

8704 



153 

4896 

9792 



171 

5472 

10944 



190 

6080 

12160 



10 

220 
660 



15 
240 

960 



273 
1365 



28 

308 

1848 



36 

360 

2520 



45 
360 



55 
440 

3960 



462 
4620 



462 
5082 



91 

548 
6005 



105 
525 
6825 



120 

soo 

8400 



20 

440 

1320 



35 

770 

2310 



56 

1232 

36S6 



84 

1848 

5544 



120 

2640 

7920 



165 

3630 

10890 



35 

560 

2240 



70 

1120 

4480 



126 

201S 

8064 



210 

3360 

13440 



56 

728 

3640 



125 

1638 

8190 



252 

3276 

16380 



84 

924 

5544 



210 

2310 

13860 



120 

1200 

8400 



330 

3300 

23100 



165 

1320 

10550 



220 

1760 

15840 



286 

2002 

20020 



364 

2184 

24024 



455 

2730 

32760 



560 

2800 

36400 



680 

3400 

47600 



For multivariate polynomials of degree k in n variables 



126 

2016 

8064 



T(n, k) = # of terms possible in one polynomial 

[ nH ' T(n, k) = # of bits to represent one polynomial 

n • [Si] ■ T(n,k) = # of bits in the public key 



Figure 3.1 Bits of Key in Commutative Case (Plaintext = 64 bits) 



4 Finding Systems of Practical Size 

The public key in the system we have proposed consists of the coefficients of the polynomials 
making up the transformation P. We do not want a key that is too large and have taken 10,000 
bits to be the upper limit on the size of key that we will consider. 

4.1 The Commutative Case 

We must first count the maximum number of terms in a polynomial of total degree k in n 
variables. This number, T(n, k) can be computed recursively as follows: 



T{l,k) =Ar + l 
T(n,l) = n + l 

T(n, k) = T{n, k - 1) + T(n - 1, k) 



(\.e.,l,X,...,X k ) 
(le.,l,X l ,...,X n ) 

Vi, n >|. 



344 



6 

384 
768 



10 

640 

1280 



IS 

860 

1920 



21 

1344 

1688 



28 

1792 

3584 



t=7 

36 

2304 

4608 



kt=lo t=ll 



45 


55 


63 


78 


91 


2880 


3520 


4224 


4992 


5824 


5760 


7040 


8448 


0984 


11648 



10 

430 
1290 



15 

480 

1920 



21 

546 
2730 



28 

612 

3672 



38 

684 

4788 



45 

720 

5760 



55 

825 

7425 



65 

858 

8580 



20 

860 

2580 



35 

1505 

4515 



56 

2408 

7224 



84 

3612 

10838 



35 

1120 

4480 



70 

2240 

8960 



126 

4032 

16128 



56 

1456 

7280 



84 

1848 

11083 



120 

2280 

15960 



165 

2640 

21120 



220 

3300 

29700 



286 

3718 

37180 



126 

3276 

15380 



For r.;ultivariate polynomials of degree k in n variables 

T{n, k) = # of terms possible in one polynomial 
f^l ' T( n ' k) = 9 o! bits to represent one polynomial 
n ■ \*&] • T(n, k) = * of bits in the public key 




Figure 4.2 Bits of Key iii Commutative Case (Plaintext = 128 bits) 



The recursion step follows since T{n, A: — 1) is the number of terms of total < k in which X„ 
appears. Each such term is of the form X„ times a term in n variables with total degree < k— 1. 
T(n — 1, k) is the number of terms of total degree < k in which X„ does not appear. 

Now we need the number of bits necessary to represent the coefficients of a polynomial of 
total degree k in n variables. This clearly depends on the size of the ring but there are restrictions 
on the ring size if we want the plaintext size to conform to present standards. If the plaintext 
(Xi,...,X n ) is to have 64 bits then each X, must represent bits. If R is a J-ring so that 
encryption method (3.1) is used, then R must have cardinality 2^ * \ The number of bits needed 
to represent a single polynomial of total degree it in n variables is given by [^] • T(n,k). The 
number of bits in the public key polynomial transformation is n - • T(n,k). These numbers 
are computed and presented in Figure 4.1. The same computation for a plaintext of 128 bits is 
presented in Figure 4.2. 

If the ring is local and the general encryption method of equation 3.3 is used, then the 
cardinality of the nilpotent ideal, N, must be 2^1 or 2^1. The cardinality of R is at least 
twice that of N. The number of bits needed to represent the public key is at least double the 
numbers that appear in Figures 4.1 and 4.2. If the specific iteration described in section 2 is used 
with Pi, . . . ,P n having coefficients in N then the number of bits needed to represent the public 
key is exactly as shown in Figures 4.1 and 4.2. 

It is striking that if we are restricted to 10,000 bits of key then the polynomials making up 
the encryption transformation and also those making up its inverse can have no more than 153 
terms (n = 2, k = 16, 64-bit plaintext). We shall see in the next section that this is too small for 
cryptographic security. 



345 



7 log p k=4 k=6 k=6 k-*7 US fc— 0 *— 10 fc— 11 *—12 -IS *— 14 fc— 16 k— 10 Jfc=l7 



2 


1 


6 


10 


IS 


21 


28 | 36 


45 


55 




78 91 105 120 | 136 | 


4 


2 


12 


20 


30 


42 1 56 


1*1 


SO 


110 






8 


3 


18 


30 
40 
50 


45 
60 


63 


H 


108 


|iss| 






16 


4 


24 


H 


112 


|l44| 






32 


5 


30 


|75| 


105 


|l40| 




64 


6 


36 


60 


90 


126 






128 


7 


42 


|7.| 


105 


|.47| 




256 


8 


48 


80 


120 






512 


9 


54 


SO 


|l3o| 




1024 


10 


SO 


100 






2048 


11 


M 


110 




4096 


12 


72 


120 


8192 


13 


78 


1 130 I 


16384 


14 


84 






32768 


15 


90 




65536 


16 


96 


131072 


17 


102 


262144 


18 


108 


524288 


19 


114 


1048576 


20 


120 


2097152 


21 


126 


4194304 


22 


1 132 1 



Figure 4.3 Bits of Plaintext in one Upper- Triangular Matrix over Z v 



4.2 The Upper- Triangular Case 

We consider the special case of k X k upper-triangular matrices over Z p . We have taken p to be 
a power of 2 so that there is no bit loss in representing the ring. A single matrix carries (logp)^ * jT* ^ 
bits. In Figure 4.3 we show the number of bits of plaintext in a pair of upper-triangular matrices 
over Z p . 

Figure 4.3 also provides information in the case of a general commutative ring R. The number 
of bits shown for a particular p provides lower (upper) bounds when R is any commutative ring 
with cardinality greater than (less than) p. 



346 











2*-l- 




bits or key = 








• bita per 


• terms per 


• bita per 


* bits per 2 


p 


log p 


k 


matrix 


polynomial 


polynomial 


polynomials 



64 Bit Plaintext 



2 


1 | 9 


35 


511 


511 


1022 


4 


2 j 7 


42 


127 


254 


508 


8 


3 | S 


45 


63 


189 


378 


16 


4 j 5 


40 


31 


124 


248 


64 


6 j 4 


36 


15 


90 


180 



128 Bit Plaintext 



2 


1 12 


69 


4095 


4095 


8190 


4 


2 9 


72 


511 


1022 


2044 


8 


3 j 8 


84 


255 


765 


1530 


16 


4 j 7 


84 


127 


508 


lots 


32 


5 6 


75 


63 


315 


630 


128 


7 1 5 


70 


31 


217 


434 


2048 


11 | 4 


66 


15 


165 


330 



Figure 4.4 Bits of Key; Upper-triangular Case 



In Figure 4.4 we compute the number of bits in the public key when the plaintext has 64 and 
128 bits respectively. To do this computation we must find the number of terms in a polynomial 
in 2 upper-triangular k X k matrices. Recall that these polynomials will have total degree at most 
k— 1. The number of terms of exactly degree j in 2 non-commuting variables is 2 } . It is the same 
as making j choices from 2 items with repetition allowed. The total number of terms is, therefore: 



"2' 



;'=« 



There appear to be cases where the key is not terribly big and where the number of terms in each 
polynomial is large enough that we might have cryptographic security. We will see, however, in the 
next section that we can solve for the coefficients of the polynomials in the inverse transformation 
in layers so that we need never face a very large system of equations. 



347 



7 

224 
448 



26 

572 

1718 



63 

1008 
4032 



124 

1612 

8060 



215 

2385 
14100 



15 

480 

960 



81 

1782 
5346 



255 

4080 

16320 



624 

8112 

40560 



31 

992 

1984 



241 

5302 

15918 



63 

2016 
4032 



127 

4064 

8128 



k— 7 

255 

8160 

16320 



For multivariate polynomials of degree k in n variables 



81 

1782 
5346 



n — 1 = # of terms possible in one polynomial 

T^l ' ( nk+l — 1) = # of bits to represent one polynomial 

n ■ f ^] • (n* +I — 1) = # of bits to represent the public key. 



Figure 4.5 Bits of Key; Non-commutative Case; 64-Bit Plaintext 



4.3 The General Non-Commutative Case 

As will be shown, in the next section, the commutative and upper-triangular cases are not 
cryptographically secure so we offer one other suggestion. Let R be a non-commutative finite ring. 
In figure 4.5 we show the number of bits of key in this case. The number of terms in a polynomial 
of total degree k in n non-commuting variables is given by n i+l — 1. The reasoning is the same 
as that used to compute the number of terms in the polynomials of section 4.1 above. Figure 4.5 
shows that there are very few cases to investigate. The number of terms in the polynomials is 
small but there is some hope that the complications of non-commutative arithmetic will impede 
cryptanalysis. 

5 Inverting These Systems 

Assume that we know the public key, P = (Pi, . . . ,P n ), and we want to find a transformation 
Q = (Ql, ■ ■■ , Qn) such that Qi(Pi(x), P n (x)) = AT,-(» = 1, . . . , n). We know that such a system 
Q of polynomials exists and that the Qi have the same types of terms as the Pj. That is: 

Qi = a, + 6 tl V'i + • • ■ + 6,-„ V„ + c,,, V\ + ■ ■ -. 

We know which terms are present, we must find the coefficients of Q; (i = 1, . . . , n). 

5.1 // R is a J-ring 

Pick a vector A = (A\,. . -,A n ) in R*. Compute P^A), P„(A). Set Qi{Pi(A), P n (A}) = 
Ay. This gives a linear equation with coefficients in R whose unknowns are the coefficients of Q\. 
Let q by the number of coefficients of Q\. If we can produce vectors A; = (Ai t , j4, b ) in R" (i = 
1, . . . , q) such that the resulting linear equations are independent then, hopefully, we can solve 
for the coefficients of Q\. As Q is invertible, we know that such an independent system exists. 
Any J-ring R is a direct sum of finite fields 8 . Hence the system can be solved independently over 
each component field of R using standard techniques of linear algebra over fields. A system of 
approximately 150 equations can be solved in a reasonable time by existing techniques and in our 
systems of practical size, Qi never has more than 153 coeficients. 

There remains the problem of generating q independent equations. We suggest the following 
simple procedure. 1. choose a A ^ O in R„ and accept the linear equations it produces. 2. After 



348 



having found k — 1 independent equations, choose a new vector A ^ O at random and accept it 
if it is independent of the k — I vectors already found. Otherwise, discard it and repeat this step 
until you succeed. If, at each stage, the system is put, componentwise, into reduced row-echelon 
form, then checking the new equation and row-reducing the new system are both easy. We cannot 
prove that this method will produce the necessary q equations in a reasonable amount of time but 
believe it does for the following reasons: 

Assume R — Z ? , p a prime. If k vectors are chosen at random from (Zp) 7 then the probability 
that they are independent is given by (1 — — j^tr)- ■ (l — f ,-k+i ) > p^T so tne probability 
that a random q X q determinant over Zp is non-singular is given by: 

i—i p " 

Although this gives 0 as a lower bound when P — 2 the products are actually greater than 1/4 in 
this case. 

Unfortunately, the coefficient vectors in these equations are not generated at random from all 
possible p' vectors over Zp; we can only generate p" vectors but, expect that they will be randomly 
distributed in the larger set. Given this, the above argument shows that we are likely to generate 
q independent equations without much difficulty. 

5.2 The Nilpotent Case 

The message is a vector in A r " where N is a nilpotent ring embedded as a maximal nilpotent 
ideal in a local ring R. The quotient ring R/N is a finite field. N" is invariant under the public 
key polynomial map P:R n >-► R n . That is, P:N" >-> /V" is one to one and onto. The component 
polynomials P; of P have coefficients in R. To find the coefficients of Q — P _I we first work over 
the field R/N and then raise the solution to R. 

We can assume that P{ (t = l...n) has no constant term. Otherwise PLY) = T(X) + V 
where C is a constant vector in N" and T(X) is a polynomial transformation whose components 
have no constant terms. P is invertible on N n if and only if T is. If U = T _1 on N" then: 
Q(F) = V(7-C) is P" 1 on N. 

Let P;, and Q/, be the linear parts of P and Q. Then 

x = Q(P(i)) = Qi(Pi(x)) + higher order terms. 

Let (Ptmod N) mean the polynomial obtained by replacing each coefficient, c, of Pj, by (C mod TV). 
We invert Pi to find Q^. First find 

Ql = (Pi mod AT) -1 overP/N. 

Now form Q'/ with coefficients in R by replacing each coefficient of Q' L by a representative in R 
of its class. Theu 

Q'Z 0 Pi = I + B where B has entries in N 

and 

(l-B + D 2 ±B h - 1 )Q" L P L = I±B h = I on TV". 

So set 

Ql = PZ 1 =(I-B + B 2 ±B k - l )$' L . 



349 



Now go on to the quadratic terms. Let Pq and Qq be the quadratic parts and Pjf and Qh the 
higher order parts of P and Q respectively. Then 

x = Q(P(x)) = Q L (P L (z) + P Q (x) + P H (x)) + Q Q (P L (x) + P q (x) + P B (*)) 
+Qh(Pl(x) + Pq(x) + P h (x)) 
= Ql(Ptf(*)) + Qi(P«(I)) + Q«(Pt(*)) + higher order terms. 
This gives a system of equations whose unknowns are the coefficients of Q<j. We can proceed as 
with the linear parts, finding the coefficients of Q one degree at a time. 

For rings of practical size, these systems are therefore too easily solved to be secure. 

5.3 The Upper-Triangular Case 

The encrypting transformation is (X,,X 2 ) — P(Xi,X 2 ) = (A(Xl,X 2 ),P 2 (Xi,X 2 )) where 
Xi, X% are upper-triangular matrices over a commutative ring R and Pi,P 2 are polynomials 
with coefficients in R. To decrypt, we must find a polynomial system Q = (<2i,(?2) such that 
QdP(Xi,X 2 }) = Xi (i = 1, 2). As before, we can use P and Q to produce pairs [U, V), Q(U, V) 
and to set up a system of linear equations in the coefficients of Q. This system is particularly easy 
to solve as only the linear and constant terms show up in the entries just above the diagonal of 
Q(f7, V). The quadratic terms enter into the entries two levels above the diagonal and so on. We 
can, therefore, solve for the coefficients of Q in a layered manner, similar to the nilpotent case. 

6 Conclusions 

We set out to build a public key cryptosystem by repeatedly substituting for variables in 
multivariate polynomials and simplifying the results to conceal the substitution process. There 
seems, however, to be no way to build such a system that is both secure and has a public key of 
practical size when the devices used to limit the number of coefficeints are nilpotence and J-rings. 
We have only shown, however, that it is impossible to produce such a system if the total degree of 
the encryption polynomial determines the size of the public key. Perhaps, by properly choosing po 
and pi, we can employ the fundamental scheme to produce sparse encrypting polynomials. Then 
the public key could be kept small while the encrypting polynomial has large total degree and is 
difficult to invert. 

References 

[1] Don Coppersmith and Edna Grossman, "Generators for Certain Alternating Groups with 
Applications to Cryptography," SI AM J. Appl. Math., Vol. 29, No. 4, pp. 624-627, Dec 1975. 

[2] Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Trans. Info. 
Thy., Vol. IT-22, No. 6, pp. 644-654, November 1976. 

[3] Data Encryption Standard, F1PS Pub. No. 46, National Bureau of Standards, 15 January 
1977. 

[4] Solomon W. Golomb, Shift Register Sequences, Holden Day, San Francisco, 1967. 

[5] R. McLeice, A Public-Key Cryptosystem Based On Albebraic Coding Theory, DSN Progress 
Report 42-44, Jet Propulsion Lab, Calif. Inst, of Tech., Pasadina CA, Jan-Feb 1978. 

[6] R. C. Merkle and M. E. Hellman, "Hiding Information and Signatures in Trapdoor Knapsacks," 
IEEE Transactions on Information Theory, Vol. IT-24, No. 5, pp. 525-530, September 1978. 

[7] R. L. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and 
Public Key Cryptosystems," CACM, Vol. 21, No. 2, pp. 120-126, February 1978. 

[8] Gustavus J. Simmons. Personal Communication. 



DEVELOPING AN RSACHIP 



Martin Kochanski 
Business Simulations Ltd 
Scriventon House 
Speldhurst 
Kent TN3 OTU 
England. 



Introduction. 



FAP4 is a fast arithmetic processor designed specifically for modular 
operations, including exponentiation, on large integers. It is at 
present implemented as an array of 32-bit bit-slice processors, which may 
be interconnected without additional circuitry to obtain word lengths of 
up to 1023 bits. With 512-bit operands, exponentiation takes 133 
milliseconds at worst (100 ms typically). 



Architecture. 



FAP4 is based on a new serial/parallel architecture for performing 
multiplication and modulo reduction together in one pass . It takes one 
clock cycle per bit of the multiplier, plus a small fixed overhead, to 
perform a single modular multiplication. While the overall serial one- 
pass nature of this architecture resembles Brickell's scheme [1] , it is 
less complex, requires less circuitry to implement it, and is less 
sensitive to the exact details of implementation. 

In implementing this architecture, a decision on partitioning had to be 
made: what should be done in hardware, and what by the host 
microprocessor? 

At one extreme, a design such as Rivest's original one [3] does 
everything on-chip, even primality testing. The larger the chip, the 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 350-357, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



351 



more difficult it is to make; and if high-level algorithms are built in 
to it, what happens if someone develops a better algorithm? 

At the other extreme, one could implement as little as possible in 
hardware. The drawbacks of this can be seen in our own first-ever fast 
arithmetic processor (FAP1), whose central multiplier chip did a 
multiplication in 150ns and then waited over 1000ns for the host 
microprocessor to tell it what to do next! 

We therefore decided that the complexity of operations performed by a 
fast integer arithmetic chip should be such that the host microprocessor 
knew what to do next by the time the chip had finished: chip time (which 
was expensive) would not be wasted, and excessive amounts of chip space 
(also expensive) would not be needed. In concrete terms, this meant that 
the chip should be able to do at least a single full-length modular 
multiplication. Even if this took only 30us, it would still leave enough 
time for the microprocessor to extract (say) the next bit of an exponent 
and formulate an appropriate command. 



Implementation. 

Implementing this architecture posed a problem. Typically, one would 
construct a small prototype using standard TTL chips before planning 
further designs - but FAP4 involved a "long, thin" design consisting of a 
few register bits and a little logic at each stage, and such a design 
does not lend itself to an efficient TTL implementation. 

Accordingly, we decided to omit this prototyping phase and implement the 
architecture directly on semi-custom gate arrays. Because of the serial 
architecture, it was easy to partition the design into manageable slices, 
and 32 bits was selected as the slice size. Fujitsu's VH2600 series of 
2.3 micron CMOS arrays was chosen. 



352 



The chip. 



The FAP4 chips are packaged as 64-pin pin grid arrays. Pins are 
allocated as follows: 



Address bus: 


10 


pins _ 




Data bus : 


_8 


pins 


Microprocessor 


Control lines: 


6 


pins 


interface , 


HEADY signal: 


1 


pin _ 




Power : 


4 


pins 




Clock: 


1 


pin 





Serial 

Interconnections : 
Identifiers: 

Internal 
control bus : 



14 pins (7 between each pair of adjacent chips) 
& pins (tied to logic 1 or 0 to identify each chip's 
position in the array) 

10 pins 



Controller slicing: 3 pins (see below) 



The shaded area shows the pins which exist only because of the 
partitioning into 32-bit slices. It will be seen that without this 
overhead, a single-chip implementation would require only 28 pins. 



As well as a 32-bit arithmetic slice, each chip contains a 5-bit 
controller slice. In an array, two of these slices are used together to 
implement a 10-bit controller for the array, and the remaining controller 
slices are inactive. This approach allowed the use of a single type of 
chip throughout, rather than having separate arithmetic and controller 
chips. An array can thus be expanded to up to 1,024 bits without 
exceeding the controller's capacity; futher expansion requires a separate 
controller to be provided. 

Each chip uses 2,400 2-input NAND equivalent cells, of which about 2,000 
are used for the arithmetic slice - about 63 cells per bit. 

A typical 512-bit (16-chip) array runs at 5MHz. A 512-bit array will be 
assumed in all the descriptions of operation and algorithms in this 
paper. 



353 



FAP4 chip block diagram. 



Comaafld register 



CONTROLLER 
STATE MACHINE 



SERIAL 
ALU 



it 



_Neit FAP4 
_ Previous FAPt 



Bus 

interface 

and 

address 
decoder 



0(5 bits) 



X {32 bits) 
¥ (32 bits) 
R (32 bits) 



FAP4 51 2 bit array block diagram. 



H CS,EB,TO 
TOC5,TT5WE 
O A8-A0 

D7-D0 
S RESET 

READY 

T 



Buffers 
(LS240, 
LS244, 
LS245) 



Clock generator 



Array of 16 FAP4 chips 



□ 


□ 


□ 


□ 


□ 


□ 


□ 


□ 


□ 


□ 


□ 


□ 




□ 


□ 





Operation. 

The FAP4 array has a standard byte-wide bus interface, and appears to a 
host microprocessor as a 512-byte memory space and a single output port. 



354 



The output port accesses the FAP4 array's command register, and is used 
to convey commands to the array. Aa soon as a command is written, the 
READY interface line goes low and the specified operation is performed. 
When the operation is completed, READY goes high, and the host can access 
the array's memory or write a new command to the command register. The 
READY signal can be interfaced to the host system in a variety of ways: 
directly to an input port, which the host then polls to test for 
completion of an operation; to an interrupt controller, so that the host 
is interrupted whenever the FAP4 array has completed an operation; or to 
a direct memory access (DMA) controller, so that a sequence of commands 
can be sent to the FAP4 array without any need for intervention by the 
host . 



Possible commands are as follows (commands are shown in binary, most 
significant bit first): 



00000000 Y := Y * Y 

00000001 Y := Y * X 

00000010 Y := (Y * Y) * X 

00000011 Y := (Y * X) * X 



■where a * b means "multiply register a by the C most significant bits of 
register b, reducing the result modulo iJ". 



The first two operations take approximately C+100 clock cycles; the last 
two take twice as long. 

Memory is assigned to registers as follows (addresses are in hexadecimal 
relative to the base of the board's address space): 

00 to 7F: Y register 

80 to FF: X register 

100 to 17F: R register (write-only) 

1F8 and 1FC: C register (write-only) 

The X, Y, and R registers are up to 1024 bits (128 bytes) long. In an 
array of fewer than 32 chips, the X, Y, and R registers are 
correspondingly shorter, so that in a 16-chip (512-bit) array, register R 
will extend only from address 140 to 17F, 



Register R defines the modulus to be used. If it is zero, then no modulo 
reduction takes place; otherwise, for correct operation, the two most 



355 



significant bits of R must be 01: in other words, 
2=io < R < 2 51l -l 

If the modulus required is outside this range, it can be shifted to fall 
within it; the Y and X operands can then be shifted to correspond with 
this . 

Registers X and Y define the operand values to be used; the result of 
each arithmetic operation is stored in register Y, from where it can be 
read by the host processor. For correct operation, the value of Y 
should always be less than that of R in modular operations . 

Register C is 10 bits long, and is used to define the precision of the 
current operation, which may be less than the available capacity of the 
board: smaller values of C produce faster operations. 



Operation. 

A typical sequence of operations is: 

1. Write operands to FAP4's memory. 

2. Issue a command. 

3. Wait for the READY signal to go high. 

4. Read results from FAP4 ' s memory. 



Algorithms. 

• Multiplication with modulo reduction is the fundamental operation of 

the chip. 

* Multiplication without modulo reduction can be done by setting R to 

zero . 



• Exponentiation is performed by scanning the exponent from left to right 
and issuing command 10 (square and multiply) if a bit is 1 or 00 
(square) if it is 0. These commands can be precomputed and a DMA 



356 



channel used to pass them to the array: there is then about a 
microsecond' 3 latency between commands. 

Faster operation could be achieved in an implementation with more 
registers: for instance, the cube of the base could be stored in a 
separate register, and the sequence "square, multiply, square, 
multiply" replaced by "square, square, multiply by cube": but no such 
extension can do more than double the speed of exponentiation. 

* Division can be performed by multiplication and modulo reduction. A 

simple example in base 10 is: 

314159 x 10000 modulo 1469999 - 202137 
so 314159 / 147 = 2137 remainder 20. 

♦ Highest common factor computations can be speeded up by modifying 

Euclid's algorithm to work with left- justified operands. 

* Modular division (finding y such that x * y - z mod r ) normally uses 

Euclid's algorithm with a parallel calculation building up the 
inverse as the algorithm progresses. A similar technique to that 
used for division can combine the two processes into one. 

• Primality testing i3 best done by using a procedure such as Knuth ' s 

Algorithm P [2], which involves repeated squaring and hence no 
reloading of operands . 



Performance. 

At a clock rate of 5MHz, the single multiplication commands 00000000 and 
00000001 are executed in c/5 + 20 microseconds, where c is the operand 
length stored in the C register. For full 512-bit operations, this 
gives a time of 124us per operation. The double-multiplication commands 
00000010 and 00000011 take twice as long. 

The time taken for a full exponentiation depends on the number of J bits 
in the binary representation of the exponent. The worst-case time for a 
511-bit exponentiation is 133ms, and the average time is 100ms. 



Applications. 



357 



FAP4 can be used for: 

• Implementation of the RSA or similar number-theoretic public-key 

cryptosystems . 

• Key setup and exchange for other cryptosystems. 

• Authentication of messages and electronic mail by means of 

"digital signatures". 

• Generation of prime numbers and sets of keys for public-key 

cryptography . 

• Add-on acceleration of high-precision fixed-point operations for a 

host computer. 

• Number theoretic research: e.g. evaluation of factorisation 

algorithms . 



Availability. 

FAP4 is available now, as chip sets; or on a 512-bit array board with a 
generic microprocessor interface. Also available are an interface card 
for the IBM PC; and a special XBASIC interpreter, which provides a 
version of the Basic language which includes support for high-precision 
arithmetic and for arithmetic operations with built-in modulo reduction 



REFERENCES : 



[1] E.F. Brickell, "A Fast Modular Multiplication Algorithm with 

Applications to Cryptography", Advances in Cryptology: Proceedings of 

CRYPTO 82, Plenum Press, New York: 1983. 
[2] Donald M. Knuth, The Art of Computer Programming, 2: Seminumerical 

Algorithms, Addison- Wes ley , New York: 1981 (2nd edition) p. 379. 
[3] R.L. Rivest, "A Description of a Single-Chip Implementation of the 

RSA Cipher", LAMBDA Magazine 1, 3 (Fourth Quarter 1980), 14-18. 



An M 3 Public-Key Encryption Scheme 

H.C. Williams* 
Department of Computer Science 
University of Manitoba 
Winnipeg, Manitoba 
CANADA R3T 2N2 

1. Introduction . It is well known that the RSA public-key cryptosystem can be 
broken if the composite modulus can be factored. It is not known, however, whether 
the problem of breaking any RSA system is equivalent in difficulty to factoring the 
modulus. In 1979 Rabin [5] introduced a public-key cryptosystem which is as diffi- 
cult to break as it is to factor a modulus R - V^?2 > wnar e PjiP2 are two distinct 
large primes. Essentially Rabin suggested that the designer of such a scheme first 
determine p^ and p^ , keep them secret and make R public. Anyone wishing to 
send a secure message M (0 < M < R) to the designer would encrypt M as K, where 

K = M 2 (mod R) 
and 0 < K < R, then transmit K to the designer. 

The designer can determine M from K by solving the congruences 

2 

x = K (mod p^) 
(1.1) y 2 = K (mod p 2 ) 
for x and y. Since M 5 Jtx (mod p^) and M = ±y (mod p^) , by using the Chinese 
Remainder Theorem he can deduce four different possibilities for M. If M has some 
kind of internal redundancy, it should be possible to select the correct M from 
among the four candidates. 

There are two difficulties with this scheme. 

(i) Although there are O(log p) probabilistic methods for solving the 

quadratic congruence (see §5) 

2 

x = M (mod p) 

when p is a prime, the solution of (1.1) and the subsequent use of the 
Chinese Remainder Theorem can still be quite time consuming. 

(ii) The 4:1 ambiguity in the decrypted messages can be a problem, especially 
if (as is often the case in transmitting keys) internal redundancy in M 
is to be minimized. 

Indeed, Rabin only advocated his technique as a signature scheme ard not as an 
ercryption technique. He also pointed out that, if we insist that p. = p^ 5 I 
(mod 3), then we can replace the K = M (mod k) step by K = M (mod R) and also 
get a scheme as difficult to break as it is to factor R. However, in this case we 
get a 9:1 ambiguity in the decrypted messages. 

* Research supported by NSERC of Canada Grant A7649. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 358-368, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



359 



In [10] Williams showed how a scheme like Rabin's could be developed in which 
problems (i) and (ii) could be eliminated. This technique made use of the following 
theorem. 

Theorem 1 . 1 If = = -1 (mod 4) , R = Pj^2 ' an<i tfle Jaco,3i symbol (X/R) = 1. 
For some X , then 

(p - l)(p - l)/4 _ 
X 1 2 = ±1 (mod R). C 

Corollary. If K = X 2 (mod R) and (X/R) = 1 , then , 



K d = ±X (mod R) 



where d 



= ((Pj - l)(p 2 - l)/4 + l)/2. 



In this scheme Che designer determines R and d and a small S such that 
(S/R) = -1. (In [10] R was calculated in such a way that S = 2.) He makes R 
and S public and keeps d secret. Anyone wishing to send a secure message 

M to the designer 

b l 

(1) determines bj (= 0 or 1) such that (M/R) = (-1) ; 

(2) puts 

M Q = S Hi (mod R) , 

where 0 < < R, and computes b 2 (= 0 or 1) such that b,, - (mod 2); 

(3) computes 

(1.2) K E M 0 (mod R) • 

where 0 < K < R ; 

(4) and then transmits L = {K,b^,b }. 



To decrypt L the designer 

(1) finds N 5 K d (mod R) , 
where 0 < N < R ; 

(2) puts Nq = R - N or N, whichever is even; 

(3) and computes 



M - S (-1) N Q (mod R) 



where 0 < M < R. 



This scheme, like Rabin's, is as difficult to break as it is to factor R. 

Actually, the scheme presented here differs from that given in [10] in two respects. 

First, it is more general in that it allows for the utilisation of an arbitrary S 

such that (S/R) = -1 instead of restricting S to 2. Also in [10] the designer 

could include a value of e such that gcd ( e ( R) ) = 1 in his public key R,S,e). 

This allows for the combination of the above idea with that of the RSA technique. 

This is easily done by replacing (1.2) above by 

K = M 2e (mod R) • 
u 

Of course, the designer must now evaluate his value for d by solving the 



360 



linear congruence 

de 5 (Cp L - l)(p 2 - l)/4 + l)/2 (mod 4(R)). 
The use of this e values (especially if e is fairly large) will frustrate attacks 
like those mentioned by Lipton in [1]. 

The purpose of this paper is to show how this same idea can be extended to the 

3 

M scheme suggested by Rabin. We first point out that in order to develop our pre- 
vious cryptosystem it was necessary that we 

I. have the Jacobi symbol and (in order that the scheme be useable) be able 
to determine the symbol rapidity, i.e. in 0(log R) steps; 
II. have Theorem 1.1; 
III. and have a method for the designer to identify the actual message which 
was sent (decryption steps (2) and (3)). 

Our strategy for extending our idea, then, will be to extend each of I., II., and 
III.). 

2. Arithmetic in £(p). Let 7L denote the set of all rational integers and let P 
be a primitive cube root of unity, that is p + p + 1 = 0. Let K = Q(p) be the 
algebraic number field formed by adjoining p to the rationals <?. In this section 
we will review several of the well-known results concerning K and then develop a 
theorem analogous to Theorem 1.1. 

We first denote by 0^ the set 

0 K - {a + bp | a,b £ TL\. 

0„ is the set of all algebraic integers in K . If a e Q , then a = a + bp 

K 2 
for some a,b e H and the norm of a , N(a) , is aa" where cr = a + bp . Thus 

N(a) = a 2 - ab + b 2 . 

The primes in 0^ are given by 

(i) 1 - P ; 

(ii) p, where p is a prime in 2Z and p = -1 (mod 3); 

(iii) a + bp , where a = -1 (mod 3), 3|b, and N(a + bp ) = p, where p is a 
prime in 7L and p E 1 (mod 3). 

Since 0^ is a unique factorization domain, for any £ c 0^, we have 

t 

(2.1) 6 = iniTj K i, 

i=l 

where the n (i = 1,2, ... ,t) are primes of Of, and "e • 1 , - 1 ,p , -p } . Also, 
this expression for 6 is unique (up to order of the ^ . ' s ) , 



361 



We also have 

Theorem 2 . 1 If a z 0^, and it is a prime of 0^ , then 

(tt(ir) - l)/3 _ A / , > 
a - P tmod tt J , 

where X e {0,1,2}. C 

If, with Jacobi, we define the symbol [a/n] to be the value of in Theorem 2.1, 

we can get an extended Jacobi symbol by defining [a/8] as 

[a/6] = J[a/' . f 1 , 
i = 1 1 

when S has the prime power decomposition given by (2.1). 

Let p^ = = 1 (mod 3) be two distinct primes in ZZ , R = P^P 2 > an< * ^ et 
1 'l' 1T 2 be P riraes of such that N^) = and N(^) = p 2 . Such n ^ and tt ^ 

always exist and in Algorithm 1 of section 5 we describe an expeditious method for 

finding them. If t^ = + b p and w 2 = a 2 + h 'l P ' ^ a l' b l' 3 2' b 2 £ then 

tt 1 tt 2 = A + Bp , 

where A = - b^, B = - b 2 a 1 - b^ and gcd(B,R) = 1. 

Compute C £ ZZ by 



Note that since 



we have 



indeed , 



C = -AB 1 (mod R). 



R = p L P 2 = N(r 1 7T 2 ) = A 2 - AB + B 2 , 



2 3 
C + C + I = 0 (mod R) and C = 1 (mod R) ; 



C = p (mod it ^ 2 ) . 



We can now prove a result analogous to Theorem 1.1. 
Theorem 2.2 If (p - l)(p, - l)/9 = -1 (mod 3) and [X/tt^] = 1 for some X £ ZZ 
then 

x ( Pl - l)(p 2 - l)/9 E ^ (mod R) 

where X £ f 0,1,2} . 

Proof. Let P* = W~ } (e £ {0,1,2]). 

3 - *" 

Since [X/ir it ] = 1, we must have [X/ * ] = o 

Now <(p - l)(p - l)/9 ^ - <(mod 3); 

hence , 

(2.2) <(p - l)/3 E (3 - <)(p 2 - l)/3 (mod 3). 

We have X 1 = p (mod it ) 

(P, " 3 - < , , 

and X z =p (mod " ) ; 



362 



thus, if l: <(p 2 - l)/3 (mod 3) (Ae{0,1,2}), Chen from (2.2) we see that 



and 



It follows that 



and 



(p. - l)(p_ - l)/9 A 
X 1 2 Hp (nod t ) 

(p. - l)(p, - l)/9 A 

(p - l)(p - l)/9 x A , , 
( 1 z E p 5 C (mod n tt J . 

(p, - l)(p, - l)/9 A 
X 1 2 = C (mod R). □ 



Corollary. If tt ^ and tt^ are defined as above, K = X (mod R) and [X/tt ^ ^] ~ 1 



then 



K d = C A X (mod R), 



where Ae{0,1,2} and d = ( (P - l)(p - l)/9 + l)/3. 

3 3 
3. The M Scheme. In our M scheme the designer selects two large distinct 

primes P^'P^ suc h that p^ E p 2 E 1 (mod 3) and (p^ - l)(p 2 " D/9 5-1 (mod 3). 

He then determines a^, a., , b^, b^, A, B, C, d as described in §2. He also selects 

(by trial) a value for ScZ such that [S/u.i ] = p and evaluates S ^ (mod R). 

2 2 

He makes his encryption key {A,B,s} public. Since R = A - AB + B , the key 

2 

occupies the same amount of space as that needed by our M scheme. 

To encrypt a message M (0 < M < R) the sender executes the following steps. 

(1) Evaluate the extended Jacobi symbol [M/A -H Bp ] = p* 5 ! , where bjE{0,l,2}. 

(2) Determine 

2b , 

M Q = MS L , M 5 CM Q (mod R), 
where 0 < Mq,!^ < r. p ut y.^ = R - M Q - Since 

M 0 + M l + M 2 = R ~ 1 < ' mod ° ne ° f N 0' M l' M 2 iS distinct "Odulo 3 

from the other two. If this is M , put b ? = i. 

(3) Compute 

(3.1) K - M Q (raod R) ' 

where 0 < K < R. 

(4) Transmit E(M) = L = {K, b [> b 2 J. 

To decrypt the message L , the designer must perform the following steps. 
(1) Determine 



N E K d (mod R) , 



where 0 < N < R. 
(2) Calculate 



N Q = N, N x E CNq (mod R) (0 < N < R) , N 2 = R - - N Q . 
Let Nj be that one of Nq, N^, N 2 which is distinct modulo 3 from the 
other two. 



363 



(3) Compute 

-b. 2b, 
D(L) = S i C Z S. (mod R) , 
J 

where 0 < D(L) < R. 

That D(L) = D(E (M) ) =• M follows easily from the corollary of Theorem 2.2 and 
the simple fact that C 2 + C + 1 = 0 (mod R) . Hence {N Q , N , N } - !m , Mj , M 2 J 
and N. = M. 5 C M„ (mod R) . If, as in the case disccused in §1, we wish to add a 
value of e such that gcd(e ,<f> (R) ) = 1 to the encryption key, we can do so easily 
by replacing (3.1) by 

K = M 3e (mod R). 
Also, d must now be a solution of the linear congruence 

de E ((p - l)(p - l)/9 + l)/3 (mod *<R) > . 

There is, of course, one problem here that we have not discussed and that is the 
method of computing [M/A + B p] rapidly and without knowing how to factor A + B p. 
In §5 we describe an O(log R) algorithm for doing this. 

We conclude this section by pointing out that this idea can also be used to 
produce signatures in much the same manner as that used in [10]; further, our encryp- 
tion scheme is an example of a claw-free permutation (see Goldwasser et al. [2]}. 

4. Security. In this section we will show that it is as difficult to break this 

system as it is to factor R in 7Z. This problem is equivalent in difficulty to 

the problem of factoring A + B p in 0^. We first require three lemmas. 
3 K 

Lemma 4.1. Let KEY (mod R) for some Y e TL . For any i e(0,l,2} there exists 
an X e Z such that 

X 3 E K(mod R) and [X/ * tt ] = p 1 [Y/" n ]. 
Proof. Let j, k c {0,1,2} such that 

j - k E i( p - l)/3 (mod 3). 

Since 

(p : - l)(p - l)/9 E -1 (mod 3), 

we must have 

(4.1) i = j(p - l)/3 + k(p 7 - l)/3 (mod 3). 

If we use the Chinese Remainder Theorem to find X such that 

X 5 c J Y (mod p ) 
X E c k Y (mod p ), 

then 

X 3 E Y 3 E K (mod R) 
and [X/n^] = [CAJ hc/^ 2 ] k [Y/^^ 2 ! 

= [p/n 1 ] 3 [p/ 1 : 2 ] k [Y/- 1 T 2 ] 
= p i [Y/n 1 ir 2 l 



364 



by (4.1). 

Lemma 4.2 For any i z 7Z. such that. gcd(Y,R) = 1 and any b^, b 2 £ {0,1,2} there 
exists a unique M e TL (0 < M < R) such that for the encryption key (a,B,S, e} we 
have 

E(M) = |K,b ,b } , 

3 

where K 5 Y (mod R) and 0 < K < R. 

Proof- Let fe = 1 (mod 4>(R)) 

3f 

and put T = Y (mod R) . 

By Lemma 4.1 there must exist X e TL such that X = T (mod R) and [X/^tt^] = 1. 

Define X. = C 1 X (mod R) , where 0 < X. < R, i = 0,1,2, and let X. be that one of 

l l J 

Xg.X^.X^ which is distinct modulo 3 from the other two. Set 

k = 2(b 2 - j) (mod 3), k e {0,1,2} 

and put 

"2b, k 
M = S [ C X (mod R), 

where 0 < M < R. 



_ „ " 2b l . S 

1 2 1 Z 

( Pl - 1) +■ (p, - l)/3 

also, 

i 2b, h 
M = C S l K = C X (mod R), 

L 

where h » 2(b 2 - j) + i and 0 < ML < R. Hence, we get {Mq.M^M^ = {Xg.Xj.X^ 
and when i - b 2 , then 

M H C J X (mod R) . 
l 

It follows that M. = X . and M is distinct modulo 3 from the other two M values 
l j l m 

when i = b 2 . Also 

M 3 Q e = X 3e H T 6 = Y 3ef ' Y 3 : K (mod R) . 

Hence E(M) - (K,b ,b }. Since D(E(M) ) = M , M must also be unique. □ 

3 1 

Lemma 4.3 If X, Y e ZZ , X = Y (mod R) , and [X/ir ir ] + [Y/n^j], then 

gcd (X - C L Y,R) = p for some i e {0,1,2}. 
3 3 

Proof . Since X = Y (mod R), we have 

(X - Y)(X - CY)(X - C 2 Y) E 0 (mod P^)- 
If Pl p 2 | X - C L Y , then 

[X/" 1 TT 2 ] = [C l Y/" 1 TI 2 i 2 = [Y/Tj^], 

which is not so. Thus, there must exist some X - C 1 Y with i£ {0,1,2} such that 
p | X - C X Y and p 2 / X - C X Y. It follows that gcd (X - C 1 Y,R) = p^C 

Now suppose that we have some algorithm F which we will decrypt 1/k of all 

messages. If an arbitrary Y is selected such that [Y/ ~ .t ] f 1 and 

_3 

gcd(Y.R) = 1 (Note that S is a possible value of Y. ) , then put K = Y (mod R) 



365 



with 0 < K < R and select any b^jb^e (0,1,2}. By Lemma 4.2 there exists a unique 
M such that 

E(M) = {K,b 1> b 2 }. 

After k trials at a value for Y we would expect that F would determine the 

2b i e 
corresponding M from {K.b^b^. Putting M Q E MS 1 (mod R) and X = M Q (mod R) , 

we have 

X 3 ; Y 3 (mod R) 

and 

1 - [X/^i^] f [Y/^^]. 
It follows from Lemma 4.3 that with knowledge of M and Y , we can easily factor R. 

It might be felt that, in revealing the values of A and B , the designer in 

2 2 

some way aids his opponent to factor R = A - AB + B . For example, if his opponent 
were able to find G,H such that G + ±A, ±B, ±(A - B) and R = - GH +• H , then he 

could factor R by using his knowledge of A,B,G,H. We point out, however, that if we are 

2 2 
given C such that C + C + 1 = 0 (mod R) , then (2C + 1) = -3 (mod R) and it 

can be shown that by using Algorithm 1 we can compute A and B such that 

R = A 2 + AB + B 2 

in 0(log R) operations. Thus, knowledge of C is equivalent to the knowledge of 

3 3 
A and B. Now C = 1 (mod R) and if we could find X such that X - 1 (mod R) 

and W» ' ] 5 s 1, we could factor K. But this is really no different from taking 

3 

an arbitrary Y, determining K = Y (mod R) and then finding some X such that 
3 

X = K and [X/Hjii ] f [Y/if it ] , a problem equivalent in difficulty to factoring R. 
That is, unless there is something special sbout a value of K = 1, knowledge of C 
seems, for the problem of factoring R, to give no more information than the know- 
ledge of an arbitrary Y. 

We should, nevertheless, emphasize here that the method of showing the equiva- 
lence of breaking our system to the problem of factoring R is constructive; that is, 
this encryption technique is vulnerable to a known cipher text attack, if such an 
attack can be mounted. We refer the reader to the relevant comments in [10] concern- 
ing this . 

The problem of extending our method further to an M r encryption scheme, where 

r is a prime and p^ = E 1 (mod r) is rather difficult. In the first place, it 

is necessary to be able to further extend the Jacobi symbol and be able to evaluate 

it in 0(log R) time. This would mean, as far as is known today, that the cyclotomic 

extension of the rationals = £(:>), where p is a primitive r^ root of unity, must 

be Euclidean. As K can be Euclidean only when the class number of ^ is 1 , this 
r r 

means that r could only be 2, 3, 5, 7, 11, 13, 17, 19. Of these it is known that 
if r = 2, 3, 5, 7, 11, then K is Euclidean. The other values 13, 17, 19 have not 



366 



been investigated (see Lenstra [4]). While it may, in principle, be possible to 
extend the algorithms in §5 to the cases of 4 = 5, 7, 11 , the details would be very 
onerous and the corresponding computations would be concomitantly slowed. Possibly, 
the case of r = 5 might be worthwhile investigating. 



5. Algorithms. In this section we describe two algorithms. The first of these is 

a method of determining a and b , given m and x such that x = -3 (mod m) , for 

2 2 

which m = a - ab + b . 



If m is a prime we can find x in 0(log m) operations by using either the 
algorithm described by Lehmer [3] or that of Shanks [7]. This often requires that 
we know in advance a quadratic non-residue of m. There is no O(log m) deterministic 
way known for doing this, but in practice one finds such a non-residue by trial very 
easily. An O(log m) deterministic method for finding x when m is prime has been 
given recently by Schoof [6], but as Schoof himself says, no one would ever use this 
very complicated technique. 



The algorithm we present here is a simple adaptation of the method described by 
2 2 

Wilker [8] to solve u + 5v = n. There is no loss of generality in assuming m is 
not a perfect square and m ; 1 (mod 3). 

2 2 

Algorithm 1. (Find s,t such that m = s + 3t when mil (mod 3).) 
(1) Use the Euclidean algorithm to find r^, r^ , r^, ■ - - , where 
x = q 0 m + r 0 0 < r Q < m 

m = q i r o + r i ° < r i < r o 

r 0 = q 2 r l + r 2 ° < r 2 < r l 



2 2 2 

If r- < m, then m = r rt + 3 and we are done. If r rt > m, then find r 
0 0 0 n 

such that 

2 2 
r , > m and r < m. 
n-i n 

Only 0(log m) operations are needed to do this. 

2 

(2) Put s = ±r . When 3 I r , and r , < 9m , put t = +r ,/3; 

n 'n-1 n-1 n-1 

otherwise, put t = ±(r - k) , where 
n 

k = (Or e -EE ,r - 2r ,)/6 (mod r ). 

nn-1 nn-ln n-1 n 

Here 0<k<r , r. = e. (mod 3), and It. I £ 1. 

nil l 

2 2 2 2 

We have m=s + 3t = (s + t) - 2t(s + t) + 4t . 

If m is a prime p and we want a prime ^ = a + bp such that N(tO = p, 

then we select the sign of s such that a = s + t ^ -1 (mod 3) and put b = -2t 

when 3 | t. If 3|t , we select the sign of t such that a = 2t = -1 (mod 3) and 

put b = s + t. 



367 



The next algorithm we present is one which can be used to evaluate the extended 
Jacobi symbol [a/B] without requiring the factorization of S. This algorithm was 
undoubtedly known to Jacobi and is given in Williams and Holte [9]. We assume that 
a = A + Bp , B = C + Dp . Here the symbols A,B f C,D do not have the meanings assigned 
to them previously but merely denote rational integers such that 3 Jd and 3 | D. 
Algorithm 2. (Determine g and y such that [a/B] = P S [B/y] and N(y) < N(6)). 

(1) Find E = A - xC + yD , F = B - yC - xD + yD , where 

x = NefCAC + BD - AD)/N( B ) } , 
y = NefCBC - AD)/N(8)}, 
2 2 

N(B) = C - CD + D , Ne{aj denotes the nearest integer to a. 

(2) If E S -F (mod 3), divide E + Fp by 1 - p k times until 

(E + Fp)/(1 - p) k = E + Fp and E f -F (mod 3). This process is facili- 
tated by making use of the observation that if E = -F 4- 30 , then 

(E + Fp)/(1 - p) = 2Q - F + Qp. 

(3) If 3 | F , put j = 0, G = E, H = F; if 3|E, put j = 1 , G = F - E , H = 
if 3 | FE, put j = 2, G = -F, H = E - f. Then y = G + Hp and 

g = (2k + j)(C 2 - l)/3 - jCD/3 (mod 3). 

We have [<VB] = p 8 [B/y] and N(y) < 3/4 N(B). Clearly we can repeat this 
algorithm until we get a symbol of the form [±1/X1 = 1 ; the accumulated power of p 
will then be the value of [<*/$]. Since N(y) < 3/4 N(B) , we see that this algorithm 
must terminate in O(log N(B)) operations. 



368 



REFERENCES 



R.A. Demillo, G.I. Davida, D.P. Dobkin, M.A. Harrison, and R.J. Lipton, On the 
Safety of Cryptosys terns. Applied Cryptology, Cryptographic Protocols and 
Computer Security Models, AMS Short Courses Lecture Notes, Vol. 29, Providence, 
1983. 

Shafi Goldwasser, Silvio Micali, R.L. Rivest, A "paradoxical" solution to the 
signature problem, Proc. 25th IEEE Symposium on Foundations of Computer Science, 
to appear. 

D.H. Lehmer, Computer technology applied to the theory of numbers, Studies in 
Number Theory, Math. Assoc. of America, 1969, Theorem 5, p. 133. 

H.W. Lenstra, jr., Euclidean number fields I., Math. Intelligencer 2 (1979/80), 
6-15. 



M.O. Rabin, Digitized signatures and public-key functions as intractable as 
factorization, M.I.T. Lab. for Computer Science, Tech. Rep. LCS/TR212 , 1979. 



Rene Schoof , Elliptic curves over finite fields and the computation of square 
roots mod p, Math. Comp. 44 (1985), 483 - 494. 



D. Shanks, Five number theoretic algorithms, Congressus Numerantium 7 (1973), 
51 - 69. 

Peter Wilker, An effecient algorithmic solution of the diophantine equation 
u 2 + 5w 2 = m, Math. Comp. 35 (1980), 1347 - 1352. 

3 3 

H.C. Williams and R. Holte, Computation of the solution of x + Dy =1, 
Math. Comp. 31 (1977), 778 - 785. 



] H.C. Williams, A modification of the RSA public-key enryption procedure, IEEE 

Transactions on Information Theory, IT-26 (1980), 726 - 729. 



Trapdoor Kings And Their Use In Cryptography 



V. Varadharajan 

Dept. of Elec. and Electronic Eng., 

Plymouth Polytechnic, 

Drake Circus, PLYMOUTH PL 4 8AA, 

U.K. 



Abstract 

This paper examines possible trapdoor structures which can be used to 
design public key cryptosys terns based on the factorization problem. Some 
examples of such finite trapdoor systems which might serve as a basis for 
an extended RSA cryptosystem are proposed. 



Introduction 



Recently much research work has been carried out in the field of 
asymmetric or public key cryptosystems [1,2, 3]|Which allow two users to 
communicate securely over an insecure channel without any 
prearrangement.They are classified as asymmetric because the sender and 
the receiver employ two different keys to encrypt and decrypt a message. 
Separating the enciphering and deciphering capabilities allows secrecy to 
be maintained without keeping the encrypting key hidden as it is no longer 
used in deciphering. The decrypting key i3 kept private and there is no 
need for anyone to communicate his decryption key to anyone else. The 
concept of a public key cryptosystem is illustrated in figure LUser i 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 369-395, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



370 



STARTING KEY 



RECEIVER'S PUBLIC KEY 



SECRET KEY 



PLAINTEXT 



ENCRYPTION 



CIPHERTEXT 



DECRYPTION 



PLAINTEXT 



SENDER 
(MANY) 



RECEIVER 
(ONE) 



Fig.1 - Public key cryptosystem 



encrypts the message M using the publicly known encrypting key of user J 
and sends the cipher to user J over an insecure channel. Only the u3er J 
will be able to decrypt the cipher to recover M as he is the only one who 
knows his secret decryption key. 

The encryption (E) and decryption (D) algorithms in such a system have, in 
general, the following properties; 

a. Deciphering the enciphered form of a message M yields M.that is, 
D(E(M))=M. 

b. Both E and D are easy to compute. 

c. By publicly revealing E.the user does not reveal an easy way to compute 
D.Thls means that only the receiver can decrypt the messages encrypted 
with E or compute D efficiently. 



371 

A major implication of the public key cryptosy3tem is that it eliminates 
the need for a secret transferral of keys as in the case of conventional 
symmetric cryptographic algorithms which employ the same key for both 
encryption and decryption. Furthermore, the public key algorithms can be 
used in conjunction with the symmetric algorithms to distribute the secret 
key. This can be seen as follows: 

User i can encrypt the secret key in a symmetric system using the public 
key of user j and then send it to user j over an insecure channel. Because 
the deciphering key is only known to user j, he is the only one who can 
decrypt the cipher and obtain the secret key. Now users i and j can have a 
secure conversation using a symmetric algorithm with the transferred 
secret key. 

Note that in this arrangement the sole purpose of the public key system i3 
to distribute the secret key required for the symmetric algorithm. 

Another implication of the public key cryptosystem is that it is possible 
to 'sign' messages in a way that is unforgeable but easily 
verifiable. This can be accomplished provided the enciphering and 
deciphering procedures can be used in either order. To sign a message, a 
user i operates first on the message with his secret decryption key and 
then with the public key of user j to produce the cipher, The user j 
recovers the message by operating on the cipher, first with his secret 
decryption key and then with the public key of user i. Since only user i 
knows his secret decryption key, only user i could have created the cipher 
which produces the correct message when his public key is applied to 
it. Thus it is possible to obtain a digital signature feature [3] provided 
the encryption and decryption algorithms satisfy an additional property 
(d) given by 



372 



d. Enciphering the deciphered form of a message M yields M.that 
ia,E(D(M))=M. 

For a public key system to be secure, it should be computationally 
infeasible for the cryptanalyst to determine the secret decryption key 
from the publicly known parameters of the encryption and decryption 
procedures and the encryption key. Such systems are constructed using 
'trapdoor one-way functions' 

Definition: A function f is said to be a one-way function if it is easy to 
compute y=f(x) for all x but difficult to compute x=f~^(y) for almost all y . 

Note that the phrase 'almost all y' is necessary because a table of some 
of the values of f(x) can be stored and if y happens to belong to this 
table the corresponding x can be easily determined. The above definition 
does not provide an absolute sense in which a function is one-way as it 
depends on the computational resources available. A precise definition of a 
one-way function depends on a specific measure of complexity as the 
difficulty of computing the inverse function varies with time and 
technology. The complexity measures are often defined in terms of time or 
storage required to compute the inverse. Computational tasks which require 
of the order of 10 "'"operations or 10^° storage elements are generally 
considered to be infeasible [4], It is possible to construct one-way 
functions y=f(x,k) where the difficulty of computing y increases linearly 
with k but that of computing x increases exponentially with k. In such a 
case it is possible to increase k to such an extent that computation of 
the inverse requires the limits mentioned above. However one-way functions 
cannot be used directly to design a public key system as the legal 
receiver needs to decrypt the cipher y easily for all y. 



373 

Definition: A 'trapdoor one-way function' is a one-way function with the 
additional property that if certain specific information (the trapdoor) 
employed in the design of the function is known then it is easy to compute 
the inverse function. 

That is, given the secret decryption key (trapdoor) f '(y) can be easily 
calculated. 

A well known public key oryptosystem which has survived many 
cryptanalytical attacks is the Rivest-Shamir-Adleman system (HSA) [2], 
which is based on the difficulty of factoring a large rational integer 
into its primes. The system designer chooses two distinct primes p and q 
and publishes the product m=pq.The product m is assumed to be so large 
that factoring it is beyond all projected computation capabilities. For 
instance, if m is chosen to be 200 digit decimal integer, then it will 
require of the order of 10 operations using the best known factoring 
algorithm [2]. The encryption procedure raises the message x, 1<x<m, to the 
e-th power modulo m and the decryption is performed by raising the cipher 
y to the d-th power modulo m. 

Encryption : y = x e (mod m) 

Decryption : x = (mod m) 

The public encryption key is (e,m) and the secret decryption key is 
(d,m).The coding exponents e and d are chosen to be multiplicative 
inverse of each other modulo J^(m), where 0 is the Euler totient function. 

ed = 1 (mod 0(m) ) (1) 
If the cryptanalyst can determine $(m),then he can obtain the decoding 
exponent d by solving (D.If m can be easily factorized to p and q, then 
the cryptanalyst can find #(m) and d and hence crack the system. 



374 



In this article, some algebraic structures suitable for use in the design 
of RSA type factorization-based, trapdoor systems are investigated. 



Assume R is a finite ring with unity which 13 associative but not 
necessarily commutative. Suppose that members of the ring R are used as 
messages and that rg R is enciphered as r e where e is the published 
encrypting exponent. 

The trapdoor property can be stated as follows: 

there exists 30me integer n>0 such that r n+1 ~ r for all r£R. 
These rings are to be referred to as trapdoor ring3. 

For instance, in the ring of integers modulo a prime number p, R = Z/pZ , 
rP = r for all rfc R. More generally,lf R r F q = GF(q) , the field of q 
elements where q is a prime power (p k ), then rl = r for all r£.R. 
Consider any two 3uch trapdoor rings R and S and construct the direct sum 
Ji ® S consisting of vectors (r,s) with r£R and s£S. These vectors are 
added and multiplied componentwise. That is,(r,3) + (r',s') gives 
(r+r'.s+s*) and (r,s) . (r',3 1 ) is (rr* ,33* ). These rules make H©S Into 
another trapdoor ring, say T. The number of elements of T is equal to the 
product of the number of elements in rings R and S. Suppose that r** 1 = r 
for all r£R and s n+1 = s for all s£S. Then r m+N - r N for all H ^ 1 . 
Similarly, 3 n ^ - s N for all N ^ 1. In particular, r Uka - r for all 
k X 1 and 3 l +lcn = s for all k >, 1. Hence r 1+lian = r and 
s 1+lmn - 3 f or a ix 1 >, 1. Hence t 1 * lBn = t for all t€-T, 1 ^ 1, and so 
I is a trapdoor ring. 

This above process can be applied repeatedly by talcing vectors of 



375 

arbitrarily many components, each taken from some finite field. Considering 
finite fields F q . for 1 ^ i s < J where q t 's can be the same or 
different, the trapdoor ring R consists of all vectors x : (xi,...,xj) 
where x-t £ F qi , 1 ^ 1 ( J. The ring consists of qvQj elements 
and the equality r n+1 = r is obeyed for all rgR, where n is equal to 
(qj-1 ). . . Cq j- 1 ) or any multiple of it. 

There are many finite rings which are not trapdoor rings. Consider, for 

instance, R = Z/p 2 Z where p is a prime. Then p 2 = 0 = p3 = ... in 

ring R but p f. 0 in R.So the property that p n+ ' = p is not satisfied for 

any n > 0. However if we take an integer k to be a square free positive 

integer, 3ay, k = p^...pj where all p^'s are distinct primes then 

the ring R = Z/kZ is a trapdoor ring and in fact it can be regarded as a 

direct sum of F p (+).,. 0 F p . as described above. If J = 2, then 

this becomes tfce standard trapdoor ring used by the RSA cryptosy3ten. 

Classification Theorem 

Let R be any trapdoor ring. Then 

a. H has a 1. 

b. R i3 commutative. 

c. R is isomorphic to F q (£)•■•(£) F for certain finite fields. 

(Two rings R and S are isomorphic to each other if there exi3t3 a function 

f : R > S which is one-to-one and onto and satisfies f(ri+r 2 ) = 

fir,) + f(r 2 ), f(r,r 2 ) = f(r"i) f(r 2 ) for all r 1 ,r 2 £ R. ) 



The proof relies on the use of Wedderburn»3 structure theory [5] for 
semisimple rings. The main steps of the argument are as follows : 



376 

1. The ring R is trapdoor implies that R has no nilpotent elements except 

0. (An element x is said to be nilpotent if x°" = 0 and x°- -1 = 0 for some 
a > 0) 

2. A finite ring without non-zero nilpotent elements must have a 1 [5]. 

3. A finite ring with 1 and lacking nilpotents (^0) is a direct sum of 
matrix rings with entries in a division algebra (skew field) - 
Wedderburn's theorem. 

4. If any of these matrices is not 1x1, then there will be non-zero 
nilpotent elements in R. 

5. Hence R is a direct sum of finite skew fields. 

6. A finite skew field is necessarily commutative (Wedderburn-Witt 
theorem) . 

Hence the only finite trapdoor ring3 are of the type described above upto 
isomorphism. 

Other possible trapdoor structures 

Instead of using rings, we only need a system S in which an associative 
multiplication is defined, satisfying 

1. For all a,b£ S, ab £ S 

2. For all a,b,c 6. S, a(bc) = (ab)c 

Such a system is called a semigroup. If S is a semigroup with a 1 
satisfying a. 1 = l.a = a for all a£S then S is said to be a monoid. 
Further if a monoid S has the additional property that there is a unique 
corresponding b£S such that ab = ba = 1 then S is said to be a eroup.In a 
finite group G with n elements, every g£G satisfies g n = 1, g n+1 = g • 
Hence a finite group of order n can be used to construct trapdoor 



377 



systems. On the other hand, not all semigroups can be used to form trapdoor 
systems. Semigroups with the property that a n+1 = a for all a£S are 
possible candidates. A more formal way of expressing this constraint would 
be : a semigroup S can be used provided it is completely regular. 
Let U3 now consider some examples of finite systems that might serve as a 
basis for a generalized HSA cryptoaystem. 

Ring of Matrices 

If the ring of all nxn matrices M n over the ring R=Z/mZ , where 
s 

m = 1 I pj r i ,(Pi'3 are primes), is considered, then the ring M n 



contains nilpotent elements when n > 1 . This problem can be overcome by 
restricting the message space thereby avoiding nilpotent elements. In 
this paper, we consider three such subsets namely, the set of non-singular 
matrices over Z/mZ.the set of upper triangular matrices over Z/mZ and the 
set of orthogonal matrices over Z/mZ. 

Let us first consider the multiplicative group formed by the non-singular 
matrices of order n over Z/mZ. The order of the group, H m , is given by 

— -S 



where N r i denotes the order of the group formed by non-singular 
matrices over Z/p. r iZ . 

It is well known [6] that the order of the group formed by non-singular 
matrices over Z/pZ is given by 





(2) 



N p = (p n -1)(p n -pi ... (P^P 11 - 1 ) 



(3) 



378 

To evaluate Npr, in general, let 6 be the homomorphism mapping an 
nxn matrix A over Z/p r+1 Z to A', a matrix over Z/p r Z, via 
a-y (mod p 1 "" 1 ^) — * a^j (mod p r ). This induces, a surjective 
homomorphism 6 between the linear groups formed by these matrices. 
That is, 

9' : GL n (Z/p r+1 Z) > GL n (Z/'prz) 

Using group theory [7], 

GL n (Z/p r -'- 1 Z) ^ GL n (Z/p r Z) 
Kernel Q' 

where — denotes isomorphic to. 

The kernel consists of the set of matrices which are mapped to the 

identity matrix I (mod p r ), i.e. 

aji = 1 (mod p r ) for 1 <: i <: n (4) 
aj.j = 0 (mod p r ) f or i 4- j (5) 

There are p possibilities for each of the equations (t) and (5) giving 

2. 

rise to p n possibilities. Therefore using group theory, the order 
(denoted by symbol is given by 



# GLnCZ/p^Z) = p^fr GL n (Z/ p rz) 

= p rni fl: GL n (Z/pZ) 



379 



Thus using (3) 



Np r i = P i (r i- 1,n *' (Pi n -D (Pi n - 



Pi 



Substituting (6) into (2) gives the order N m . 

Now as in the RSA eryptosystem, if m is made to be the product of 
two distinct primes p and q, then the expression for N m simplifies 
to 



A public key system can therefore be constructed using (e,m,n) as the 
public encryption key and (d,m,n) as the secret decryption key. The 
coding exponents e and d are determined using 



A message M £ GL n (Z/mZ) obeys 
M N m = I (mod m) 

The encryption and decryption procedures can therefore be given by 
C = M e (mod m) 

and 

M = C d (mod m) 
respectively, where H,C6 GL n (Z/mZ). 

Although the order N m can be used in finding e and d as in (7), in 
practice, it is often desirable to find the exponent, EXP, of the 
group, that is, the least integer greater than zero such that 
M EXP _ i ( mod m ) M £ GL n (Z/mZ) 



N B = N p N q 

= (p n -1)...(p n -p n - 1 )(q Il -1)...(q n -q n - 1 ) 



ed = 1 (mod N m ) 



(7) 



380 

The exponent of the group can be shown to be [8,9]. 
EXP = 1cm {v 1f v s } 




v i = Pi r i" 1 (v*i) 
and v*i = Pi lea (Pi-1,Pi 2 -1, ,Pi n -D 

(assuming is greater than n for all i). 

As the expression for the order N m (and the exponent EXP) depend on 
the prime factors of m, it can be used to design a public key 
crypto3ystem by choosing m to be a large integer. 

Alternatively, let us now consider the set of upper triangular 
matrices as a possible choice for the message space. If the diagonal 
entries are made unity, to ensure that the matrix is invertible over 
any modulus, then the order of the group formed by such matrices over 
Z/mZ is equal to ord = m n ( n- D/2 > That is, the order does not 
depend on the prime factors of m and hence this cannot be used as a 
public key system. A conventional cyrptosystem can be designed where 
the secret key is (e,d,m,n) and the exponents e and d are calculated 
using ed = 1 (mod order). 



However, if the message space is altered to contain upper triangular 
matrices with diagonal entries relatively prime to m, then such 
matrices are again invertible modulo m. Further, in practice, as m 
is a product of large prime numbers, the choice of diagonal elements 
is almost arbitrary provided they are chosen to be realtively 3mall 
integers. 



381 

The order of the group formed by such matrices is determined as 
follows :- 

Considering a nxn matrix, it is required that all the n diagonal 
entries must be coprime to m. The number of integers less than m and 
coprime to m is given by the Euler totient function J#(m). The 
remaining n(n-1)/2 superdiagonal entries of the matrix may take any 
value modulo m. Therefore, the order is equal to m 
The vital difference between this order and the one calculated above 
is that now the order of the group is dependent on the prime factors 
of m. Hence the modulus m needs to be factorized before the 
decryption exponent d can be calculated using ed = 1 (mod order). As 
for the set of non-singular matrices, the exponent of the group formed 
by such upper triangular matrices can be used instead of the order in 
finding e and d. The exponent of the group is shown to be equal to 
[8,9]. 

EXP' = 1cm {jZKp^Dp^l, $(p 3 rs)p 3 r s} 

where 

S 

m = j |~Pi r i 
L = i 



Finally, one can also use the special set of non-singular matrices, 
namely the set of orthogonal matrices, as the message space of the 
matrix based RSA system. The order of the group formed by nxn 
orthogonal matrices over Z/pZ has been worked out by MacWilliams [10]. 

For odd n, i.e. n = 2a + 1 for some integer a, the order is given by 



2p a 



a.- i 

(p2a . p 2i) 



382 



For even n, i.e. n = 2a, the order is given by 



Q.-I 

2(p a -1) 



(p2a _ p2i) if -1 is a square (mod p) 



and L = c 



2(p a + (-1) a+1 ) J(p 2a - p 2i ) if -1 is a con-square (mod p) 
l - l 

Using the Chinese Remainder Theorem, the order of the group formed by 
orthogonal matrices over Z/mZ where m=pq, a square free integer is 
equal to the product. 

(order of orthogonal matrices over Z/pZ) x (order of orthogonal 
matrices over Z/qZ). 

As the factorization of the modulus m is required to calculate the 
order, this set can be used in the matrix based public key system. 



Thus it can be seen that the RSA system can be generalised to matrix 
rings provided the message space is restricted to avoid nilpotent 
elements. From a practical implementation point of view, the upper 
triangular matrices with invertible diagonal elements seems to be the 
better candidate as the messages can be constructed in an almost 
arbitrary manner. In the case of non-singular matrices, an 
additional procedure to find the determinant of the message matrix is 
required. However, this problem can be overcome by constructing the 
message matrix as a product of upper triangular and lower triangular 
matrices as follows: 

Let U be an upper triangular matrix and L be a lower triangular matrix 
with unit diagonal over Z/mZ. The elements other than the diagonal 
ones in V and L can be arbitrarily chosen modulo m. As both U and L 



383 

are invertible over Z/mZ, their product M=LU is also invertible over 
Z/mZ. Further, the non-oommutatlvity property of matrices (LU^fcUL in 
general) ensures that the orytpanalyst still needs to factorize m to 
be able to calculate the decrypting exponent d. This is in contrast 
to the case of just the upper triangular matrices with unit diagonal 
mentioned earlier. This is because M e = (UL) e ^ U e L e . Thus 
although U ed i 3 U (modm) and L ed i = L (modm) where ed -| = 1 (mod ord.) , 



M ed i ^ M (mod m) but M ed = M (mod m) where ed = 1 (mod H m or E.X P) . 
The receiver can recover the matrices L and U uniquely given the 
matrix M. Furthermore, the above procedure also applies if one of U 
or L is a triangular matrix with invertible diagonal elements and the 
other triangular matrix with unit diagonal. 

This extended RSA system using matrix messages has been simulated on a 
Prime Computer [8]. The encryption and the decryption of message 
matrices have been performed using the Square and Multiply technique 



Two points are worth mentioning regarding this extended system. 
Firstly, it is seen that a non-square free modulus can be used with 
this system which is not possible with the RSA system over integers. 
That is, powers of primes can be used to form the modulus m. 
Secondly, the use of a matrix as a message allows large amounts of 
data to be processed within one encryption/decryption cycle. Whether 
this is an advantage depends upon the ease with which matrix 
manipulation can be carried out in real time. 



[11]. 



384 



1 

I 



Ring of Polynomials 

Consider the factorization trapdoor system in another ring of special 
interest, namely the ring of polynomials R[x], which consists of 
polynomials with coefficients in an arbitrary ring R. 

Let R □ Z/pZ and f(x) be a polynomial in Z/pZ[x] of degree s whose 
factorization is given by 

f(x) = gi(x) ... g r (x) (mod p) 

where gi(x), l^i^r, are distinct irreducible polynomials over Z/pZ 
of degree s^ respectively. 

Consider the multiplicative group formed by polynomials over Z/pZ of 
degree less than 3 and relatively prime to f(x). The order of the 
group, denoted using the Euler function ff p (f(x)) is evaluated as 
follows: 

-tfpffCx)) is equal to the number of invertible elements, that is, 

units in the residue ring Z/pZfxl ■ This ring is isomorphic to 

fCx) 

Z[x]/(p, f (x) ) and can be regarded as a direct sum of finite fields as 

Z[x]/(p,f(x)) = Z[x]/(p, gl (x)) © @ Z[x]/(p,g r (x)) 

where Z[x]/ (p , g<_ ( x) ) is the finite (Galois) field GF(p 3 i), Si 
being the degree of gi(x) . 



385 



/zee \ / » 

units of ( faM' units of ' ~ — r7^l x ••■ x units of 



Hence 

ZDO \ /ZW 

&j&y x - x units of 

= (p 3 1 - 1) (p s r - 1) 

Hence 



(p s i - 1) (9) 

A public key system in Z [x]/ ( p, f (x) ) can therefore be designed as 
follows [12] : The message space consists of polynomials {m(x)} of 
degree less than s over Z/pZ. The public encryption key is 
(e,p,f(x)) and the secret decryption key is (d,p,f(x)) where the 
coding exponents e and d are calculated using 

ed = 1 (mod £ p (f(x)) (10) 
The encryption procedure raises the message polynomial m(x) to the 
power e using 

c(x) = (m(x)) e mod(p,f(x)) 
The decryption procedure is given by 

m(x) = (c(x))d mod (p,f(x)) 
As the order jeT p (f(x)) is dependent on the degrees of the irreducible 
factors of the modulus polynomial f(x), this scheme provides the 
trapdoor property. 



However, the above scheme i3 not as secure as the RSA system over 
rational integers or the matrix based RSA system proposed earlier. 
This is because the security of this system is dependent on the 
difficulty of factorizing a composite polynomial into its irreducible 
factors over a finite field, which in general is not a hard problem in 
sharp contrast with the factorization problem of a large integer. 



386 

Berlekamp [13] proposed an efficient algorithm for factoring 
polynomials in Z/pZ. For large primes p, Knuth [11] has suggested 
some modifications to the Berlekamp' s procedure. Once the degrees of 
the irreducible factors are found, the crtypanalyst can determine the 
order jeC p (f(x) ) and then calculate the secret decoding exponent using 
(10). Furthermore with this scheme, the same decoding exponent d works 
for all sets of g^Cx) for i = 1 to r, with same degrees s^. 

The security of this system can be increased if it is implemented in 

the ring Z[x]/ (m, f f x) ) where m is the product of distinct prime 
t 

integers m =j and f(x) is a square free composite polynomial as 

before . " 



The message space then consists of polynomials {m(x)} of degrees less 
than s with coefficients in Z/mZ. Using the Chinese Remainder Theorem, 
the ring Z[x]/(m,f (x) ) is isomorphic to the direct of sum of rings 
given below 

The order of the multiplicative group formed by polynomials of degrees 
less than s and relatively prime to f(x) is equal to the number of 
units in Z[x]/(m,f (x) ) and is given by ^ m (f(x)) 



Hence 




387 

where 

fi(x) = f(x) (mod Pi) 
Let the factorization of f^Cx) be 

«i _ 



1 < i X t 



Sij(x) (mod p ± ) 



(11) 



J = ' 



where the degree of irreducible polynomial gij(x) over Z/p-jZ is 
Sij. The upper limit in the product term in (11) goes up to as 
it is a function of to which prime pj_ the polynomial f (x) is being 
factored. This is because in general f(x) mod p-^ will have some 
nj_ distinct irreducible factors as i varies. 



But using (9) 



Hence, 



C$- 0 



J = I 
t 



J -- 



The order now depends not only on the degrees of the irreducible 
factors but also on the prime divisors of modulus m. Thus the 
cryptanalyst needs to factorize both m and f(x) and this gives rise to 
a system which is at least as strong as the corresponding RSA system 
over the integers. Furthermore, from cryptography point of view, it 
is required that both f(x) and m must be square free to avoid 
nilpotent elements and enable proper decryption. In this respect, it 
differs from the matrix RSA system described earlier. This system 
has also been simulated on the Prime Computer[8]. 



388 



Ring of Algebraic. Integ ers 

We now consider the design of public key systems in some algebraic 
number fields based on factorization trapdoor. 

A number 6 is said to be an algebraic number [14] if it satisfies a 
polynomial equation 

f(x) □ a n x n + a n _.]X n - 1 + ... + a 0 
where the coefficients are rational numbers, Q. 
If the equation has rational integer coefficients and it is monlc, 
then 0 is said to be an algebraic integer. If B is algebraic over Q , 
then the field K = Q(0) is defined to be the smallest extension field 
containing both Q and G . That is, it consists of numbers of the form 

°-o + a, 6 -t- a 2 0 s - + . - . +■ 

where aj are rational numbers. 

The subset of the field K consisting of algebraic integers forms a 
ring D, called the ring of algebraic integers in K. In general, D is 
not a unique factorization domain. Factorization of elements in D is 
unique if and only if every irreducible in D is also a prime, that is, 
if and only if D is a principal ideal domain (PID). The rings where 
unique factorization of integers fails correspond to non-principal 
ideal domains. In such domains, there are irreducibles which are not 
primes and they generate principal ideals which are not prime ideals 
but factorize into non-principal ideals [15]. We only consider the 
design of the factorization trapdoor systems in PIDs. Unless 
otherwise stated, from now on D is assumed to be a PID. 



389 



Let m be a square free integer in some ring D and its factorization be 

r 

m - 7T t 

where TP are irreducibles or primes in D. 

L 

Then, using the Chinese Remainder Theorem, the residue class ring is 
isomorphic to the direct sum of finite fields as 

D/< m> - V/ <Tri? & - - - ® W<^ T y 

where denotes the principal ideal generated by IT , The order of 
the group formed by invertible residue classes modulo the ideal <m> is 
given by <m>, which is similar to the Euler function p for rational 
integers. 

§<™y ■= J"<tt,> - - - § <i\ r y (12) 

For a prime 

^OT;> = N/<TT ; > " I (13; 

where N<TT[> denotes the norm of the ideal <TT->, the number of residue 
classes modulo the ideal <TT->- 

A public key system is therefore possible as the order depends on the 
prime factors of m. Such a scheme is illustrated by considering a 
simple quadratic field K = Q(i). The ring of integers D = Z[i] 
consists of elements of the form {a + bi | a,b £ Z} and is commonly 
known a3 the ring of Gaussian integers. Now m is a composite integer 
in Z[i] and its factors T7^ , l^i^r, are primes in Z[iL To be able to 
calculate <£<m>, it is necessary to find N<TT^>i K<i^r, (see (12) and 
(13)). 



390 

The norm N<TTl> is a rational integer and is equal to 

N<TT:> = . TT-TT- 
where "fT-^ is the complex conjugate of Tf L • 



Let the prime decomposition of N<TTl^ i n ^ ^ e 

N<ni> = p, - - ■• p b 

where pi are distinct primes in Z. 

Then, asTT^ J N<TTi.> . 7T^ Pi Pt • That is, 7T\ divides one of 

the primes It cannot divide two primes and p^. If so, 

then it i3 possible to find two integers a and b using Euclid's 
algorithm such that apj + bpjf a 1. As Tf- pj and TTi » TT;. J 1 • 
So TTl is a unit, not a prime which is contrary to the assumption. 
Thus every Gaussian prime ~) | • divides only one rational prime |D- . 
Hence N<TT:> divides Npi> But Npi = p^ 2 . Therefore, 
N<-rp : > = Pi or Pi 2 . It can be shown that [14], if Pi = 1 (mod 4) 
then N<TT;> = Pi whereas if Pi = 3 (mod 4) then N<TT-> = Pi . 
Thus the order j2T<m> is given by 

§ <™> = | | N<TT : > - \ 



— < 



i — i 



391 

The encryption and decryption coding exponents e and d can be 
calculated U3ing 

ed = 1 (mod_gT<m>) (11) 
The messages are represented using the residue classes modulo the 
ideal <m> and there are N<m> such residue classes. 

Case 1 

First consider the case where the primes IT- which form m divide 
rational primes p^ of the form p-^ = 1 (mod 1). Then the norm is 
a square free rational integer given by 

N<m> = TT N<m> 

r 




The residue class ring Z[i]/< m> is isomorphic to the direct sum of 
finite fields Z[i]/<-rr. > , l^i^r . The field 2[i]/ <Tr .> contains 
Pi elements. Therefore, one standard method of representing the 
messages mod <m> would be to use the integers in the ring Z/N<m>Z, 
that i3, 0 to N<m>-1. This is similar to the message space of the RSA 
system over rational integers. The encryption and decryption processes 
are carried out using C = M e (mod N<m>) and M = C d mod( N<m>) and 
(e,N<m>) is the public key. 

Now consider the situation where the message space still consists of 
the integers in Z/N<m>Z but the encryption and decryption procedures 
are calculated modulo m, m£Z[i]. Let m = a+bi and the message be M 
in Z/N<m>Z. Then encryption gives, say, 

C = M e = g + hi (mod (a+bi)) 
Decryption produces 

(g+hi) d = k + 11 (mod (a+bi)) 



392 

That is, the recovered message M is equal to k + li 
M = k «■ li (mod (a+bi)) (15) 

Conjugating both sides of (15) 

M = k - li (mod (a-bi)) 

Using Chinese Remainder Theorem, the original M can be obtained as 
M=o<-|(k-li) + # 2 (k+li) (mod (a+bi ) (a-bi) ) 

where <*, + tf 2 = 1 K,,^^ z[i] . 



Case 2 

If the primesTT- which form m divide rational primes p^ of the form 
Pi ; 3(nio<i 4), then the N<m> is a non-square free rational integer 
given by 

r 

N<m> = 



K 2 



In this case, although Z[i]/<-]y.> is a finite field of pj 2 

elements, one cannot represent the residue classes modulo <7Ti> using 

the integers Z/p^z a s the latter does not form a finite field. 

On the other hand, one can represent the messages in the form M = x+iy 

where 0 < x,y ^ | jN<m> J —1, thus giving rise to N<m> distinct residue 

classes modulo <m>. 



Encryption is performed by raising the message M to the power e and 



reducing the coefficients modulo 
then 

C s M e ; (x+iy) e mod <m> 



\ N<m> 



That is, if M = x + iy, 



= g ( mod ,jN<m> ) + h ( mod 



J N<m> ) i 



A similar procedure is carried out in decryption. 



393 

Case 3 

If m factorizes into primes TTl some of which divide rational primes 
p = 1 (mod 4) and others divide rational primes p = 3 (mod 4), then it 
can be shown [8] that the cryptanalyst can easily partly faotorize m 
and hence reduce the difficulty of breaking the system. Therefore 
from cryptography point of view, this case should not be used. 

The security of the public key system in Z[i] again depends on the 
difficulty of factorizing a large rational integer into its primes; 
in Case 1, the rational integer N<m> n pi ... p r needs to be 
factored whereas in Case 2, the rational integer J J N<m> | = pi • • • P r 
needs to be factored. In both cases, once the primes pi to p r 
are found, then the order <m> can be easily determined using 

Then, 



(£)<m> = | N<TT;;> - 1 where N<TTj.> = Pi or Pi 2 - 
i - i 

the secret coding exponent d can be calculated using (14). Note that 
the cryptanalyst does not need to know the Gaussian primes TT, to "JT^ 
but only needs to know their respective norms. In other words, the 
cryptanalyst will be working over Z and not over Z[i]. 

The design of factorization trapdoor system as described above can be 
extended to other quadratic fields which are principal ideal domains. 



Discussion 

A generalization of the RSA cryptosystem in the ring of matrices over 
Z/mZ where m is a composite integer is proposed. It is shown that 



394 

factorization of the modulus m is needed to compute the order of the 
group formed by non-singular matrix messages, upper triangular matrix 
messages with non-unity invertible diagonal elements and orthogonal 
matrix messages thus offering a similar level of security as the RSA 
system. 

An extension of the HSA system to polynomial rings has been considered 
The difficulty of factorization of a polynomial into it3 irreducible 
factors over a finite field does not in itself provide a secure public 
key cryptosystem. However if the difficulty of factorizing a 
polynomial is compounded with the difficulty of factorizing an integer 
then a secure RSA type cryptosystem in the ring of polynomials is seen 
to be possible. 

The design of public key system in some quadratic algebraic number 
fields using factorization trapdoor concept has been presented. The 
security of such systems is found to be dependent on the difficulty of 
factoring the norm of the modulus. 

The investigation of such extensions of RSA cryptosystem indicates 
that rings other than the ring of rational integers can be used to 
construct public key systems based on factorization trapdoor property. 
From a practical point of view, however it seems that the complexity 
of such systems may favour the implementation of the factorization 
trapdoor in the ring of rational integers. 



395 



References 



1. Diffie,Vf. and Hellman.M.E. , 'New Directions in Cryptography' , IEEE 
Trans, on Inf. Theory, Vol.IT-22, 1976, pp 644-654. 

2. RiYest,R.L. , Shamir , A. and Adleman.L., 'A method for obtaining 
Digital Signatures and Public Key Cryptosystems' .Comm. ACM, Vol.21, 
No. 2, 1978, pp 120-126. 

3. Diffie.W. and Hellman M.E., 'Privacy and Authentication : An 
Introduction to Cryptography, Proc.IEEE, Vol.67, NO. 3, 1979. 

4. Davies.D., 'Limits to Computations', NPL note, London. 

5. Van der Waerden.B.L. , Modern Alg ebra : Vol. 1 and 2 f 1949. 

6. Dickson.L.E. , Linear Groups with an Exposition of the Galois Field 
Theory , Dover Pub., 1958. 

7. Albert, A. A. , Fundemental Concep ts of Higher Algebra, The Univ. of 
Chicago Press, 1956. 

8. Varadharajan.V. , Some Cryp tographic Techniques for Secure Data 
Communication, Ph.D. Thesis, CNAA, 1984. 

9. Varadharajan.V. and Odoni,R., 'Extension of RSA oryptosystem to 
Matrix Rings', Cryptologia, Accepted for Publication Aug. 1984. 

10. MacWilliams, J. , 'Orthogonal matrices over Finite Fields', 
American Mathematical Monthly, Feb. 1969. 

11. Knuth,D.E., The Art o f Computer Prop-ramming, Vol.? ; 
Seminumerioal Algorithms . Second Edition, Addison-Wesley, 1981. 

12. Kravit2,D,W. and Reed, I. S. , 'Extension of RSA Cryptoatructure : A 
Galois Approach, IEE Electronic Letters, Vol.18, Ko.6, 1982, pp255-256 

13. Berlekamp , E . R . , 'Factoring Polynomials over large Finite Fields', 
Maths, of Computation, Vol.24, So. 111, 1970, pp 713-735. 

14. Pollard, H., The Theory of Algebraic Numbers . The Carus Math. 
Monographs, No. 9, Pub. by Math. Assoc. of America, John Wiley, 1950. 

15. Rosen, M. and Ireland, K., A Classical Introduction to Modern 
Number Theory. Springler-Verlag, 1980 



Acknowledgements 



The author would like to acknowledge the help of Prof .R.Odoni, Dept. 
of Maths., Exeter University, for valuable discussions on the subject. 



ON COMPUTING LOGARITHMS OVER FINITE FIELDS 



TaherElGamal 

Hewlett-Packard Labs 
3172 Porter Dr.. bldg 29U 
Palo Alto CA 94304 

ABSTRACT 

The problem of computing logarithms over finite fields ha3 proved to be of interest in 
different fields [4]. Subexponential time algorithms for computing logarithms over the spe- 
cial cases CF(p). GF(p 2 ) and CF(p m ) for.a fixed p and m ■* <» have been obtained. In this 
paper, we present some results for obtaining a sub exponential time algorithms for the 
remaining cases GF(p m ) forp --» «= and fixed m * 1 , 2. The algorithm depends on mapping 
the field CF(p m ) into a suitable cyclotomic extension of the integers (or rationals). Once an 
isomorphism between GF(p m ) and a subset of the cyclotomic field Q(cj,) is obtained, the algo- 
rithms becomes similar to the previous algorithms for m = 1 . 2. 

A rigorous proof for subexponential time is not yet available, but using some heuristic argu- 
ments we can show how it could be proved. If a proof would be obtained, it would use results 
on the distribution of certain classes of integers and results on the distribution of some ideal 
classes in cyclotomic fields. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 396-402, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



397 



1. INTRODUCTION 

This paper gives some ideas for extending the MerWe - Adleman algorithm for computing 
discrete logarithms over GF(j>) [1,7,9] to higher order fields. Section 2 finds appropriate 
integral domains for extending the algorithm. The reader is refered to [8,11] for discussion 
on number fields and using integral domains to extend the algorithm. Section 3 gives some 
ideas regarding the running time of the algorithm. 

2. FINDING THE ISOMORPHISM: 

From the discussion in [B], it seems natural to U3e higher number fields to extend the 
algorithm to higher order finite fields. Unfortunately, higher algebraic number fields do not 
have all the properties of quadratic fields that were used in proving a sub-exponential running 
time in [8]. For example, the norm function is not as easy to find, and hence the proofs for 
the fraction of smooth elements axe more difficult. So the discussion in this paper is res- 
tricted to using a certain class of algebraic number fields; namely, the cyclotomic fields. For 
a discussion of the properties of cyclotomic fields, the reader is refered to [ll]. Cyclotomic 
fields are used because they possess some of the properties of quadratic fields that were 
needed in developing the algorithm for the case GF(p 2 ). For example, the splitting of primes 
n cyclotomic extensions is easy to determine, which is not the case for general fields. 

For simplicity, only "prime" cyclotomic fields will be used. i.e. the fields where u t 

s a primitive qth root of unity, and q is a prime in Z- The gth cyclotomic polynomial has the 
brm 

$,(£>) = Di ~ 1 + Di -* + ■■• +5 + 1. 
iote that the general cyclotomic polynomial does not necessarily have this nice form. Hence, 

he gth cyclotomic field has degree q — 1 = ip(q ). Some results on cyclotomic fields are 

leeded to find the appropriate cyclotomic fields. The reader is refered to [11] for proofs. 

Recall, from [11], the results on the splitting of primes in cyclotomic extensions (known 
is Rummer's theorm). For each prime p e Z 



398 

<P>= ft (p. At («,)). 
< « 1 

■where 

4 = 1 

The polynomials /^(f) all have degree / , where fg=q-l, and / is equal to the order of 
p mod q (or the order of p in the multiplicative group in GF(,q). which is usually denoted by 
(2/q)')- Hence the splitting of the ideal (p) in Z(&>, ) depends on the factorization of thepth 
cyclotomic polynomial mod q which is easy to find (see [ll]). 

If Ri = (p. then jV(R<) = pt , where Nfc) is the norm of the ideal Hj. 

The next lemma relates cyclotomic polynomials to the orders of elements in (Z/g)*. 

Lemma 1 

Let q be a prime £ n, and let aeZ. Then q | $„(a) if and only if the order of a in (Z/ q )' 
is 71 . 

Proof 

First, if the order of a mod q is equal to n, then a n - 1 = 0 mad q and n is the smallest 
such exponent. Hence, q divides one of the factors of the polynomial D n - 1 evaluated at 
D = a. It is known that D" - 1 = $<*(£>) ( see [H])- Hence, q divides $„(a) since, if it 

din 

divides another factor of a n - 1, then its order is less than n. Conversely, if q divides 
then a n - 1 = 0 mocf 5 since q divides one of the factors of the polynomial D n - 1 evaluated 
at D = o, and n is the smallest such exponent (otherwise 7 would divide $ 4 (a) for some d < n 
in which case the polynomial D n — 1 has multiple roots which is never the case [ll]). This 
proves Lemma 1. 

This lemma provides an easy check for the order of p mod q . That is. if the order of 
p mod q is equal to / . then q has to divide $ f (p). 



399 



Going back to the isomorphism, a cyclotomic field Q{u ? ) is used to generate a finite field 
GF(p m ), for p and m known (and m small). A field that is isomorphic to GF(p m ) needs to be 
found from the ring of integers in a cyclotomic field similar to the isomorphisms that were 
found for the cases m. = 1 . 2. 

One observation is that if the "residue classes" Z{«,)/Ri for some prime ideal R( of norm 
p* 1 are constructed, then these residue classes form a finite field isomorphic to GF(p m )- Let 

Rt = (p. M" ? )), 

and 

*,(£>) = ft M£>) mod P. 

i = 1 

where each ^(D) is irreducible mod p. Then fii(D) is a candidate for generating GF(p m ). 
Binding the appropriate field Q{"j) 

The discrete logarithm problem is the following; given a, y an&p m , find x such that 

a 1 = y in GF(p m ) 

for some given irreducible polynomial K{D) with degree m. First, as noted in [2,3,10], the 
choice of the irreducible K{D) does not affect the running time of the algorithm since all 
representations of GF(p m ) are isomorphic and only polynomial time is needed to find the 
corresponding logarithms in one representation if the logarithms are known in another 
representation. 

From the above discussion, a prime ideal R that has norm equal to p m needs to be 
obtained. That is equivalent to finding a prime q such that p has order m mod q . 

Bquivalently, to construct an appropriate field Q(u g ). a prime factor q of $ m (p) should be 
computed (see Lemma 1). This proves the existence of such q . which might be quite large 
(for example 0(p) or higher). In this case the obtained field cannot be used for our algorithm 
since just representing an integer takes 0(p ) operations. 

Fortunately, as p grows larger the probability that $ m (p) has at least one small factor is 
high if the number $ m (p) is assumed to be random, but for some given p and m. no small divi- 
sor q may exist. The reason is that p m — 1 should be chosen to have at least one large prime 



400 

factor, and hence # m (p) (which is a factor of P m - 1) is likely to be a prime, or not to have 
any large prime factor. 

For the cases where i m (j>) does not have any small factors, GF(p m ) could be embedded 
in GF(p m ) for some small i e Z. log y can be found as if y and a were elements in GF(p m ) 
and the results ore transferred back to GF(p m ) which is isomorphic to the subfleld of order 
jt m in Grip*") . 

So in this case, a small divisor of i m (p) for some i e Z is needed. That increases the 
chance of finding an appropriate q , since the probability that one of the numbers 
**n(p)' i = 1.2, • • ■ , / for some I. has at least one small prime factor grows with I. 

Note that $ m (p) need not be factored completely because only a small divisor (O(log p) 
for example) is needed. Even if *(p) is factored completely, the asymptotic running time of 
algorithm will not increase since $ m (p) = D(p'' m ') and factoring such a number also takes 
subexponential time in <p(m) logp. 

3. THE RUNNING TIME 

This section sketches some ideas about the running time of the algorithm as desribed 
above. 

A. The image of GF(p m ) is Z(w 7 )/ A, which consists of the elements 

m-I 

. J] a, ic' , i' e Z for all j . 

. J=° 

and the norm of the ideal A is p m . 

B. All the elements in Z(a,)/ A have norm less than 

M = m 2 (p-l)"\ 

This is a loose bound, since it is obtained by adding m z terms, (When computing the 
norm of any element in Z(d 9 ), m z are obtained, each has the value (p - l) m which is the max- 
imum value of each term, since each a<, is less than p .) 

C. The number of ideals in Z(u ? ) with norm up to M is linear in M ( = kM) for some con- 
stant k (see [B]). 



401 



The number of prime ideals in Z(u,) with norm up to M is therefore equal to 0 

D. The number of principal prime ideals up to norm M is equal to the total number of 
prime ideals with norm up to M l/h , where h is the class number of Z(u,), because any ideal 
Ae Z(o, ) raised to the ftth power is principal. 

E. The number of smooth principal ideals in Z(u ? ) with norm up to M (smooth is defined 
with respect to some value for the maximum norm of small prime principal ideals N) can be 
computed in a way similar to the computation in [6] for the case of GF(p 2 ). 

F. Assume that the smooth elements are uniformly distributed among the different sub- 
sets of elements with small norm. Then, the ratio of smooth elements in Z(u,)/K is of the 
same form as for the cases GF(j>) and GF(p 2 ), and a subexponential running time could be 
obtained. 

REFERENCES 

[1] L. Adleman, "A Subexponential Algorithm for the Discrete Logarithm Problem with Appli- 
cations to Cryptograpo be published. 

[2] I. Blake, R. Fuji-Hara, R Mullin, and S. Vanstone, "Computing Logarithms in Finite Fields 
of Characteristic Two", fo be published. 

[3] D. Coppersmith, "Fast Evaluation of Logarithms in Fields of Characteristic Two", to 
appear in IEEE Transactions an Information Theory, July 1984. 

[4] W. Diflie and M. Hellman, "New Directions in Cryptography", IEEE Transactions on Infor- 
mation Theory, vol. 1T-22 pp.S44-654 Nov. 1976. 

[5] YT. Diflie and M. Hellman, "Privacy and Authentication: An Introduction to Cryptography", 
Proceedings of the IEEE, vol 67. No 3, March L979. 

[6] T. ElGamal, "A Subexponential-Time Algorithm for Computing Discrete Logarithms over 
GF{p z )", submitted to IEEE Transactions on Information Theory. 

[7] M. Hellman and J. Reyneri. "Fast Computation of Discrete Logarithms in GF(p m ). " 



402 



Presented at Crypto 82 Conference Santa Barbara, CA August 1982. 
[8] D. Marcus, Number Fields, Springer-Verlag. 

[9] R. Merkle, Secrecy, Authentication, and Public Key Systems. Ph.D. Dissertation. Electri- 
cal Engineering Department, Stanford University June 1979. 

[10] A. Odlyzko, "Discrete Logarithms in Finite Fields and Their Cryptographic Significance", 
fo be published. Journal of Number Theory vol. 15 no. 2, October 1982. 

[11] L. C. Washington. Introduction to Cyclotomic Fields, Graduate texts in mathematics S3. 
Springer - Verlag 19B2. 



V USING RSA WITH LOW EXPONENT IN A PUBLIC KEY NETWORK 



by Johan Hastad* 
MIT 

Abstract: We consider the problem of solving systems of equations P<{x) = 0 
(mod rii) i = 1 ... k where Pi are polynomials of degree d and the are distinct 
relatively prime numbers and x < minn^. We prove that if fc > d i d ^' 1 ) we can 
recover x in polynomial time provided n< >> 2 k . This shows that RSA with low 
exponent is not a good alternative to use as a public key cryptosystem in a large 
network. It also shows that a protocol by Broder and Dolev [4] is insecure if RSA 
with low exponent is used. 

1. Introduction 

Let us start with some cryptographic motivation. The famous RSA function [8] 
is defined as f{x) = x d (mod n). Here n is usually taken of the form n = pq where 
p and q are two large primes and d is an integer relatively prime to (p — l)(q — l)- 
Using these parameters the function is 1 — 1 when restricted to 1 < x < n, {x, n) = 1. 
Furthermore the function is widely believed to be a trapdoor function i.e. given n 
and d it is easy to compute f(x) and given f(x) it is also easy to recover x provided 
you have some secret information but otherwise it is infeasible. In this case the 
secret information is the factorization of n. 

The RSA function can be used to construct a deterministic Public Key Cryp- 
tosystem(PKC) in the following way: 

Each user B in a communication network chooses two large primes p and q and 
multiplies them together and publishes the result ns together with a number da 
which is relatively prime to (p — l)(q — 1). He keeps the factorization as his private 
secret information. If any user A in the system wants to send a secret message 
m to another user B she retrieves B's published information computes y = m dB 
(mod rig) and sends y to B. B now obtains the original message using his secret 
information while somebody else presumably faces an intractable computational 
task. 

However PKC are different and more complex objects than trapdoor functions. 
For example the use of RSA in a PKC may present obstacles that did not occur when 
we considered it as a trapdoor function. Several people (at least Blum, Lieberherr 
and Williams) have observed the following attack. Assume that 3 is chosen as the 
exponent and that A wants to send the same message m to users U^,Ui and U3. 
She will compute and send t/i = m s (mod n^) 1 = 1,2,3. But using the fact that 
nj,nj and ns are relatively prime a listener who know the values of 1/1,1/2 and t/3 
can combine the messages by Chinese remaindering to get m 3 (mod n\n^n^) and 
since m 3 < r^n^ns he can recover m. In general if the exponent is d the number 
of messages needed is d. 

* Supported by an IBM fellowship, partially supported by NSF grant DCR- 
8509905 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 403-408, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



404 



A natural question is therefore: Is there a better way to send the same message 
to many people using this PKC? 

A common heuristic tells us to use a "time stamp" . Instead of sending the 
same message m to everybody one attaches the time and thus sends the encryption 
of 2'*'m 4- t where 2^m is the shifted message and t is the time (which will be 
different for the different receivers) . The previous attack fails and we are led to the 
following computational problem (for d— 3). 

Given (a,m + 6,) 3 (mod n,) where all the and 6; are known is it possible to 
recover m in polynomial time? 

We will see in section 3 that the answer is YES if the number of similar messages 
is at least 7. In fact we will prove that given a set of equations 

Pi{x) = 0 (mod n<) t*=l,...,Jfc 

where we have k polynomial equations of degree < d it is possible to recover 
the solution in time polynomial in both A: and logn^ if Jfc > d(d + l)/2 provided 
rij >> 2 d . Therefore we conclude that if RSA is to be used as a PKC we should use 
a large exponent or even better use a probabilistic encryption scheme [3], [6] based 
on RSA. By [lj,[3] this can be done with as much efficiency as in the deterministic 
case. 

2. The insecurity of a protocol by Broder and Dolev. 

Broder and Dolev proposed a protocol for flipping a coin in a distributed system 
[4]. Some of their essential ingredients were Shamir's method of sharing a secret 
and the use of a deterministic PKC. They proposed to use the RSA. In [2] it is 
shown that what they really need from the security of the cryptosystem is: 

Given the encryption of a^i + bi with different keys it should be infeasible to 
decide the parity of x with a better probability than flipping a coin. The analysis in 
the next section shows that given this information we can, not only find the parity 
of x, but the exact value of x if the PKC is RSA with a small exponent. In the case 
of a large exponent the protocol is not known to be insecure but on the other hand 
there is no proof of correctness. A provably secure protocol has been designed by 
Awerbuch et.al. [2]. 

3. Main Theorem 

Let us start by fixing some notation. Let N — Yli=i n i anc * n — minn^. Now 
we can state the problem formally: 

Problem: Given a set of k equations Ey=o a ii xl = 0 (mod ni ) , t = 
1, Suppose that the system have a solution z < n. Can we Gnd such a 

solution efficiently? 

Before we give the theorem let us give the basic ideas. Define tr,- < N to be 
the chinese remaindering coefficients i.e. Uj = 6<j (mod n<) (Sij = 1 if » = j and 
0 otherwise). We can combine the equations to a single equation using the chinese 
remainder theorem. 

o = Ej =0 ** E.*=i u i a tj = Ej= 0 xic i ( mod N ) 



405 



One of the important parts of the entire paper is the following simple lemma. 

Le mm a 1: If \c } -\ < ( d+ ^„y we can find x in time polynomial in d,k and 
logrii. 

Proof: If | Cj .| < then 

3=0 3=0 

Thus the condition ^yj— 0 CjX } = 0 (mod N) implies £2y =0 CjX 3 = 0. In other 
words i solves the equation over the integers and to prove the lemma we just need 
the fact that we can solve polynomial equations over the integers in polynomial 
time. This follows from [7] but there are more efficient algorithms. 

The condition of lemma 1 is quite unlikely to be fulfilled when we start with a 
general set of equations. In spite of this lemma 1 will be one of our main tools for 
proving: 

Theorem: Given a set of equations £^_ 0 ciijX 3 = 0 (mod n^), t = 1,2, . . . , k 
where x < n and gcd({aij)j =Q ,ni) = 1 for all i. Then it is possible to recover x 
in time polynomial in d, k and log m if 

N > n^r~ L (k+ d+ l)^r^2 5 (d + 1) (<J+1) 

As before N — Yii=i n »> n — nrinrij, d is the degree of the equations and k is 
the number of equations. 

Proof: The idea is to use lemma 1. However as we remarked it is quite unlikely that 
it will apply to our equations directly. To get more possibilities we will multiply the 
t'-th equation by a constant «v before we combine them using Chinese remaindering. 
If we have chosen the carefully enough the resulting equation will have the desired 
small coefficients. We get 

Y?,=o xi T,i=i = 0 (mod N) 

Let Cj denote the coefficient of x 3 in this equation. To apply lemma 1 we want 
\cj\n 3 < ypj-. The main tool for achieving this will be the use of lattices. We first 
start by recalling some background from the geometry of numbers. 

3,1 Background from geometry of numbers. 

A lattice L is defined to be the set of points 

L = {y | y = £, n =i aA,ai eZ } 

where i>, are linearly independent vectors in B". The set £>,■ is called a basis 
for the lattice and n is the dimension. The determinant of a lattice is defined to be 
the absolute value of the determinant of the matrix with rows b<. It is not hard to 
see that the determinant is independent of the choice of basis. The length of the 
shortest nonzero vector in the lattice is denoted by X\. Let us recall the following 
wellknown facts: 



406 



Theorem: (Minkowski) A x < ~i£(det(L))~ where 7„ ia Hermite's constant. 

7„ is not known explicitly but we have an upper bound ~j n < n [5]. 

Theorem: We can find a vector 6 in polynomial time which satisfies 
||51l/Ai<2*. 

This is bound you get from the famous algorithm in the paper by Lenstra,Lenstra ' 
and Lovasz [7]. By a result by Schnorr it is possible to replace the constant 2 by 
any number greater than 1 [9] but this is not important to us. Armed with this 
information we return to the original problem. 

3.2 Continuation of Proof. 

Define the following lattice L of dimension k + d + 1 by its base vectors: 

bi = (a 10 tii > na 11 u 1 ,n J a 12 u 1 ,...,n < 'a 1(( ii 1 ,^-^ I y,0,...,0) 
b 2 = (a 2 o«2,'»o 2 iu 2 ,n J a22U2,...,n d o 2c ju 2) 0,^^-Yy,...,0) 

bk - (afc0ttfc,natiUfc,n 2 a fc2 Ufc,. . . , n d a kd u k , 0, 0, . . . , nk $ +1 ) ) 

bk+i = (JV,0,0,..., 0,0,0,... ,0) 
b k+2 = (O.ntf.O,... ,0,0,0,. ..,0) 

b k+d+1 = (0,0,0,..., n d N,0,0,...0) 
Observe that 

= (co, nci,n»c a> . . . , . . . , (mod AT) 

Observe that for 1 < i < fc + 1 the t'th coefficient is divisible by n*. We 
multiply the different coefficients by the corresponding powers of n since we want 
\cj\n 3 < The last ib coordinates are there to make the multipliers Si small in 

a short vector in the lattice and the last d + 1 vectors reflect the fact that we have 
a modular equation. 

The only term in the expansion of the determinant is the diagonal term and 
we get 

Det(L) = ^^'(d+l)-'!],.- 1 = N d+k (d + l)~ k 

This also shows that the vectors are independent. Combining the two theorems 
in section 3.1 we know that we can find a vector 6 in L that satisfies 

||F|| < (k + d+ l)*2 i± * ±i Z?et(L)n*FT 



407 



Observe that to get the desired bounds for the c^'s we need 



A simple calculation shows that to get this we need exactly the bound from the 
theorem to get this. 

To finish the proof we need to prove that we get a nontrivial equation. Since 
II II < 5?T we know ky expressions for the last k coordinates that |«,| < n^. 
b is also nonzero. This together with the bound for its length imply that there is 
at least one Si ^ 0. Look at the equation (mod n,) for the same i. Using that 
0 \si\ < rii and 0c<f({aj 3 )^_ o , n^) = 1 we see that this is a nontrivial equation. 

The proof is complete. 



4. Cryptographic Corollaries 



We get some immediate corollaries of the main theorem 

Corollary 1: Sending linearly related messages using RSA with low ex- 
ponent is insecure. Sending more than d ^ 1 ) messages enables an adversary to 
recover the mess&ges. 

This follows directly from our main the main theorem assuming that the con- 
stants depending on the dimension is small compared to the moduli. In the same 
spirit we get 

Corollary 2: Sending linearly related messages using the Rabin encryp- 
tion function is insecure. If 4 such messages are sent it is possible to retrieve 
the message. 

If one does a bit of extra work it is possible to say something about the cases 
of equality ^t^ 1 ? and 3 messages respectively) but we omit the details. 

Corollary 3: The protocol by Broder and Dolev is insecure if R.SA with 
low exponent is used. 

Follows from the analysis in [2] and the main theorem. 

The theorem also proves that we should not encode messages that are small 
known polynomials in some unknown but this seems quite farfetched. 



5. Open questions 

One interesting open questions is whether we can solve the problem with fewer 
equations. It does not seem possible to use this line of attack with substantially 
fewer equation. To see this one might argue as follows: 

The probability that \cj\ < n k ~i for j = 1, . . . , d for a fixed set of Si is approx- 
imately n~ d ^ +1 ^ 2 and this would indicate that we should have n d ^ +1)/J sets of 
equations to choose between and therefore at least d(d + l)/2 equations. 



408 



There does not seem to be any way to extend the above attack to RSA with 
large exponent. The reason being that the integers involved are too big even to 
write down. There is atill a large amount of structure present and it would be 
interesting to investigate whether this structure could be used. 

Acknowledgments: I would like to thank Silvio Micali, Shafi Goldwasser and 
Benny Chor for suggesting the problem, listening to early solutions and suggesting 
improvements and simplifications. They also pointed out the flaws in the argument 
of Broder and Dole v. 

References: 

[1] Alexi W., Chor B., Goldreich O. and Schnorr CP. "RSA/Rabin Bits are \ + 

„oiv(i, 3 N) Secure " 

FOCS 1984 pp 449-457 

[2] Awerbuch B., Chor B., Goldwasser S. and Micali S. "Provably Secure Coin Flip 

in a Byzantine Environment" , manuscript in preparation. 
[3] Blum M. and Goldwasser S. "An efficient Probabilistic Public Key Encryption 

Scheme which Hides all Partial Information'' Presented in Crypto 1984 
[4] Broder A.Z. and Dolev D. "Flipping Coins in Many Pockets" 

FOCS 1984 pp 157-170 
[5] Cassela J.W.S. "Geometry of Numbers" Springer 1959 
[6] Goldwasser S. and Micali S. "Probabilistic Encryption" 

JSCC 28 270-299 

[7] Lenstra A.K. ,Lenstra H.W. and Lovasz L. "Factoring Polynomials with Integer 

Coefficients'' Matematische Annalen 261 (1982) 513-534 
[8] Rivest R.L., Shamir A. and Adleman L. "A Method for Obtaining Digital Sig- 
natures 

and Public Key Cryptosystems" CACM 21-2 February 1978. 
[9] Schnorr CP. "A Hierarchy of Polynomial Basis Reduction Algorithms" , manuscript 



LENSTRA'S FACTORISATION METHOD BASED OH ELLIPTIC CURVES 



N .M .Stephens 
University College 
Cardiff 
Great Britain 

0. Introduction 

The purpose of this exposition is to explain the method due to 
H.W.Lenstra, Jr. [1] of determining a non-trivial factor, p, of a 
composite number, n. The method uses the theory of elliptic curves 
and has an expected running time of lip) 1 ' 2 where L(p)=exp (/log ploglogp) . 
The aim of the exposition is to be completely elementary. It begins 
with an introduction to the arithmetic of elliptic curves sufficient to 
enable the reader to follow the later section explaining the method. 
The paper ends with a few remarks on techniques for the practical 
implementation of the algorithm. 

The problem of finding efficient algorithms to decide whether or 
not a number is prime (primality testing) and to determine a non-trivial 
divisor of a composite number (factorisation) has a long history and has 
been considered by many number theorists including Fermat and Gauss. 
The more recent motivation for the study of the problem is the apparent 
security of the RSA public key cryptographic system based on the 
difficulty to factorise a number which is the product of two large 
primes . 

The classical technique of trial division by all numbers up to /n 
can be used to test the primality of n and to factor n. It has 
running time 0 (/n) which in terms of log n (the most reasonable measure 
of the size of the problem) is 0 (exp (c log n)) with c = i . Thus the 
trial division technique is said to have exponential running time. 

Progress in the factorisation problem was made in the early 1970's. 
The methods still had exponential running time but the constant c was 
smaller. Lehman's method was with c= 1 / 3 ; Shanks provabiy with c =1 /u 
but with c= 1 / 5 assuming the extended Riemann Hypothesis; Pollard's rho 
method has an expected running time with c = 1 / 1, • 

Newer advances were based on Fermat' s idea that a non trivial 
solution of 

x 2 = y 2 (mod n) 

yields a non-trivial factor of n, viz the highest common factor of x-y 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 409-416, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



410 



and n. The determination of a solution and the analysis of the 
efficiency of the method required the concept of a "smooth" number 
(see later). The various methods exploiting this idea are difficult 
to analyse exactly but may reasonably be assumed to have sub-exponential 
running times. That is, to factorise n requires time L(n) for some 
constant Y, and similar storage requirements. The best value of Y so 
far achieved using these techniques is Y=l. In practice, the time to 
factor n=pq, where p and q are primes of size about lO 30 , on a big 
machine is 28 hours [2] . 



1. Elliptic Curves 

Let F be a field; for the purpose of this exposition, F may be 

assumed to be Q, the rational numbers, or p . the set of residues 

modulo a large prime p. An elliptic curve is an equation in x and y 
of the form 

E : y = = x 3 + Ax + B 

where A,B are integers such that 4a 3 + 27B 2 ^0. (This is a technical 

condition which prevents the cubic in x having a linear factor squared.) 

A point on the curve is either a pair (x,y) with x,y e F satisfying 
the equation or the pair ,°°) = 0. The set of all points E(F) forms 
an abelian group. The zero of the group is 0_. The negative of (x,y) 
is (x,-y) . The sum of P x = (xnyj) and P 2 = (x 2 , y 2 ) with Pi \ P 2 
and Pi ,P 2 f 0 is given as follows: 



Then Pi + P 2 



let m = 



' 3 



" (Yi-Vi) / (x 2 -xi ) 

. (3x, 2 + A)/(2 yi ) 
(x 3 ,y ; ) is given by 



Xi =x 2 



x 3 = m - x L - x 2 

y 3 = m (x : - xj) - y 



One can check that with addition defined as above that E (F) is 
indeed an abelian group, but some motivation for the formula would 
probably make the reader happier and less inclined to skip the rest of 
this article. The explanation is best illustrated with the field 
F = R the set of real numbers. The curve E can then be represented 
as in figure 1 . 



411 




Figure 1 



The line joining the points Pj. and P 2 has gradient m given by the 
above formula; the alternative is derived from the limiting case when 
the chord becomes the tangent at Pi . This line intersects the curve 
at one further point p', whose negative is defined to be the sum of 
P: and P 2 

One way of interpreting the addition law on E(F) is to state that 
the three points P, Q and Re F(F) are colinear if and only if 

P + Q + R = 0 

Note that the addition law lends itself very easily to computation. 
If MP denotes the point P added to itself M times, then MP can be 
computed using the standard divide and conquer technique in 0 (log M) 
arithmetic steps . 



412 



Example To illustrate the addition law, consider the elliptic curve 

E : y 2 = X 3 - 16x + 16 . 
Over Q, there is an obvious point P = (0,4). To obtain 2P =(0,4) +(0,4) 
we need to use the tangent formula for m : 

m = (3xx 2 + A)/(2yi) = -2 

from which we obtain 2P = (4,4) . From P and 2P we obtain 3P by 
using the chord formula for m: 

m = (ya-yi) / U2-X1) = 0 
and hence 3P = (-4, -4). Continuing in this way, further multiples 
of P are : 

4P = (8,-20) 5P = (1,-1) 6P (24,116) 

7P = (-20/9, -388/27) 8P = (84/25, -52/125), ... 

The structure of E(F) In 1922, Mordell showed that E (Q) is a finitely 
generated abelian group; that is > that all rational solutions on E may 
be generated using the addition law from a finite number of basic 
solutions. If T is the subgroup of points of finite order on E (Q) then 

E(Q) s T x Z g 

for some finite number g. There is a rich body of theory concerning 
the structure and computation of E (Q) and many unsolved but important 
conjectures with far-reaching consequences. These do not concern us 
here but the interested reader might like to consult [3] for a 
stimulating account. 

Returning to the example above, it can be shown that E(Q)=Z 
(i.e. no points of finite order except 0, and g=l) and that it is 
generated by P = (0,4) . 

We need to state some more facts about an elliptic curve over the 

finite field F . Firstly, the group E (F ) (which is obviously finite) 

P P 
is either a cyclic group or the product of two cyclic groups. 

Secondly, let denote the number of points in E(Fp). Its 

value will depend on E, that is the values of A and B modulo p. Define 

a by 
P 

N = p+1 - a . 
P P 

Since p+1 represents the "expected" number of solutions of 

y 2 = x 3 + Ax + B (mod p) 



413 



including the point at infinity, the value measures the discrepancy 
of Np from its expected value. It is known (the Riemann Hypothesis for 
Abelian Varieties of dimension 1) that 

-2/p < a < 2/p. 
* p 

Moreover, for each integer a in this range, the number of elliptic 
curves over F^ with 0£A<p, 0<B<p and having = p+1 - a is 

h(4p-a 2 ) * (p-l)/2 

where h(d) is the Hurwitz class number of discriminant -d. In 

particular, to every value a with jaj<2/p, there is a corresponding 

elliptic curve E over F with a =a. 

P P 

Example We consider the original example reduced modulo p with p=5 : 



E: y 2 = x 3 -x + 1 . 

te N consider 
P 

possible x: 



To determine N consider the values of the cubic and thus y for each 
P 1 



x 0 1 2 3 4 » 

x 3 -x+l 1 12 0 1" 

y ±1 ±1 0 ±1 

Thus N 5 = 8 and a s = -2. That E(F 5 ) is cyclic of order 8 can be 

clearly seen by reducing P, 2P, 8P from E(Q) to E(F 5 ) by considering 

each co-ordinate modub 5. In particular 

8P = (84/25 , -52/125) + (°°,») = 0 

2 . b-smooth numbers 

Let b be a positive integer. A number m is said to be b-smooth 
if every prime factor q of m is less than or equal to b. Thus 

m = tt q e q with e > 0. 

Numbers which are b-smooth are rare. The probability that a random 
number m^x is b-smooth is about u U where u=log x/log b. Thus, for 
example, if x=10 100 and b=10 10 , then u=10 and we see that the 
probability is lo -10 . 

3 . Pollard's p-1 method 

The easiest way to understand Lenstra's factorisation method is to 
look first at Pollard's so-called p-1 method since certain strong 



414 



analogies can be drawn. 

Suppose that the number n is to he factorised and that it is 
known that it has a prime divisor p for which p-1 is b-smooth. 
Define M by: 

q<b 

The exponents of q have been chosen so that we can guarantee that p-1 
divides M. In particular, for any integer a with (a,p) = 1 

a P 1 £ 1 (mod p) 

and so 

a 1 (mod p) . 

To find p then, the method first computes d H a m -1 (mod n) for 
seme random a - for example a = 2; secondly it computes the highest 
common factor of d and n. This will normally be p unless there are 
other primes q dividing n for which the exponent of a mod q divides M. 

The time for this method is dominated by the time to compute a m 

modulo n. Using the divide and conquer technique for evaluation of 

powers, this can be achieved in O(log M) modulo n multiplication steps. 

Hence since log M = £ log n the time is O(b(log n) 1 /log b) . 
q^b 

In view of the earlier remark about the rarity of b-smooth numbers, 
this method is not worth implementing unless it is known that, for some 
small b, p-1 is b-smooth. 

4 . Lenstra's method 

The crucial results that made Pollard's p-1 method successful were 
that the residues modulo p formed a multiplicative group of order p-1, 
and so a P 1 = 1 (mod p) , and that p-1 was b-smooth. 

Lenstra's method is based on the same idea. But instead it uses 

the group (written additively) of points on an elliptic curve E over F^ 

which has order N . It too succeeds whenever N is b-smooth. The 

P P 
advantage of the elliptic curve method is that there are a large number 

of different curves E that can be tried, each with a potentially different 

value of Np. For a large number of tries, the hope is that one such 

is b-smooth for some suitably chosen small number b. 

Explicitly, the method is as follows: 



415 



Step 1 Choose a value for b (see later for optimal value) and let 
M = b ! or M = 1cm (1 , 2 , . . . , b) or some similar large b-smooth 
number . 

Step 2 Choose an elliptic curve E over Q at random and a point P that 

satisfies the equation modulo n. 
Step 3 Compute MP modulo n using the formulae given in section 1. 

If this computation fails to give a factor of n go back to 

Step 2 and choose a different curve E. 

How does the computation of MP modulo n yield a factor of n? 

The addition formulae supplied were for computation over a field. The 

formula for m, the gradient, involves one division; now over a field, 

this causes no problem because if the denominator is zero then the 

required sum is the point 0 = C 00 , 00 ) . Modulo a composite number n, 

however, the division is only possible if the denominator d is co-prime 

to n. So the computation "fails" whenever (d,n)>l. In particular, it 

fails when p is a divisor of n and N divides M. This failure however 

P 

gives a factorisation of n and signifies, in fact, the success of the 
method . 

The method then successfully factors n when the value of N for the 

J P 
chosen elliptic curve is a b-smooth number dividing M and there is a q 

dividing n such that the order of P in E (F ) does not divide M. 

Example The method is illustrated by attempting to factorise n=187 with 
b=3, M=3!=6 and P=(0,5) on the curve 

E: y 2 = x 3 + x + 25. 

To compute P + P : M = 1/10 = -56 (mod 187) and 2P = (-43, 18). 

To compute 2P + 2P : M = (-621/36 = 71 (mod 187) and 4P = (78, -7). 

To compute 2P + 4P : M = (-25)/ (-66). 

But (-66,187) = 11; thus in three steps, the method produces the 
factor 11 of 187. 

5. Concluding Remarks 

The following theorem is due to Lenstra. The proof makes one 
"reasonable" assumption about the number of b-smocth numbers in a small 
interval . 

Theorem The elliptic curve method with b = L(p) splits any integer 

n in expected time 0 (L (p) v 2 + 3 ' 1 ' (log n) 2 ) where p is the smallest prime 
divisor of n. 



416 



Corollary The elliptic curve method can be used to factor completely 
any n in expected time 0(L(n) 1 + 0 ' 1 ' ) . 

These results show that asymptotically, Lenstra's method is as good 
as any previously known method to factorise n. It has, however, in 
addition several important advantages. Firstly, it is easy to program, 
a non-sophisticated version requiring about IOC lines of code. Secondly, 
it requires very little storage and can be conveniently run as a back- 
ground job. Thirdly, if n has a small prime factor, this can be expected 
to be found sooner than larger ones and helps to terminate the method in 
a shorter time. The previous fast methods operated in time which is 
independent of the size of the factors. Fourthly, it is ideally suited 
to implementation in parallel; many elliptic curves can be tried 
simultaneously and independently. 

In practice, with the implementations so far, the method is not as 
fast as existing methods when applied to composite numbers which are the 
product of two large primes. To the author's knowledge the best results 
using Lenstra's method have been achieved by P. Montgomery [4] who has 
for example successfully factored the 74 digit number 

(5 105 + l)/2 

into two factors, one of which is approximately 10* 2 . 

There are various implementation techniques to speed up the method 
of factorisation described in this article. Many of these techniques 
are improved by practical experimentation and it is the author's view 
that the method has not been around long enough to achieve its best 
potential. One of the crucial problems in increasing the speed of 
the method is to avoid too many inversions modulo n. Another is to 
make a sensible choice of b and of M. Clearly small primes in M 
need to have a higher exponent than big primes. Experiments indicate 
that wereas M=b! has the exponents of small prises too big, M=lcm ( 1 , . . .b) 
has the exponents too small. 

6. References 

1. H.W.Lenstra Jr. Elliptic Curve Factorisation and Primality Testing. 
Paper to Computational Number Theory Conference at Areata, California. 
August 1985. 

2. R. Silverman, Paper to Computational Number Theory Conference at 
Areata, California. August 1985. 

3. N.Koblitz. Introduction to Elliptic Curves and Modular Forms. 
Springer-Verlag 1984. 

4. P.L.Montgomery. Experiences using Elliptic Curve Method of 
Factorisation. Paper to Computational Number Theory Conference at 
Areata, California. August 1985. 



Use of Elliptic Curves in Cryptography 

Victor S. Miller 

Exploratory Computer Science, IBM Research, P.O. Box 218, Yorkto-wn Heights, NY 10598 
ABSTRACT 

We discuss the use of elliptic curves in cryptography. In particular, we propose an analogue of the 
Diffie-Hellmann key exchange protocol which appears to be immune from attacks of the style of 
Western, Miller, and Adleman. With the current bounds for infeasible attack, it appears to be 
about 20% faster than the Diffie-Hellmann scheme over GF(p). As computational power grows, 
this disparity should get rapidly bigger. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 417-426, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



418 



Introduction 

Elliptic curves have been objects of intense study in Number Theory for the last 90 years. To 
quote Lang "It is possible to write endlessly on Elliptic Curves (This is not a threat)." [1]. Re- 
cently [2], H.W. Lenstra has proposed a new integer factorization algorithm based on the arith- 
metic of elliptic curves, which, under reasonable hypotheses, runs at least as fast as the best 
known factorisation algorithm, and uses a negligible amount of storage. This has obvious impli- 
cations for cryptographic techniques depending on the difficulty of factoring. It is my intent to 
show that elliptic curves have a rich enough arithmetic structure so that they will provide a fertile 
ground for planting the seeds of cryptography. 

NOTATION AND RESUME OF PROPERTIES OF ELLIPTIC CURVES 

If S is a finite set, we denote its cardinality by \ S\ . If p is a prime number, and n j£ 0 is an inte- 
ger, we denote by v p (n) the exact exponent of p dividing n. If a = b/c is rational, then we set 
v,(a) = v p (b) — v f (c). As usual, Q denotes the rational numbers, and Z denote the integers. If 
n ^ 0 is an integer, let Q (n) denotes the subring of Q consisting of elements whose denominators 
are relatively prime to n. If o denotes a set of primes then let Z„ denote those rational numbers 
whose denominators are divisible only by primes in o. Note that if no prime in a divides n , then 
Z 0 is a subring of Q (n) . 

An (affine) algebraic group defined over a ring R is a set of simultaneous polynomial equations 
in x,, . . . , x„ , with coefficients in R : 

/l(/-) = 0, ...,/,(P) = 0 
along with a composition law, and inverse given by n polynomial functions with coefficients in R. 

m A x u ■■■.x n ,y l , y„) 

a,(xj, ...,*„) 

which satisfies the usual axioms for a group. If G is an algebraic group, and S is a ring which has 
a multiplication by elements of R defined, then G(S) denotes the set of solutions to the polynomial 
equations with the variables having values in S. The law of composition given above then makes 
G(S) into a group. We also may have a projective algebraic group with the same definition as 
above, except that the polynomials must be homogeneous of the same degree. In this case G(S) 
denotes the set of solutions all of whose coordinates are not zero, with two solutions being con- 
sidered the same if one is a scalar multiple of the other. Note that in this case, the law of compo- 
sition really consists of a set of rational functions. 
As an example, we have the multiplicative group: 



G m - xy = 1 



419 



with law of composition ((x^yJAxi.yi)).-* (*i*2, y-y?) and inverse (xy) -* (jvO- 

Define the logarithmic height of a point: Given a point P = (x^ Xj, . . . , x„) with rational coor- 
dinates, let D be a common denominator for all the x t such that, there is a /such that {Dx jt D) = 1 

. The logarithmic height, h(P) = log max( | D | , | Dx l | | Dx, | ) . This height is a measure 

of the number of bits needed to write down the point P. Let H„(!Q = {P e Q" | A(^) < K\. 

Let p, denote the ;-th prime number, and G m (r) be the subgroup of G,„(Q) generated by 

Pi p, . Note that G m (r) is the same as G„(Z„) where a consists of the set of primes 

p„ • - • ,p r - Also let G m (r, K) = G„(r)r\H z (K) 

An elliptic curve defined over a field F is the curve defined by the following equation: 

i; : j> = x + ax + b 

where a and 6 are elements of F (assumed to have characteristic ^ 2 or 3. There is a slightly more 
complicated formulation in those cases,). There is a natural law of composition on the points of 
E obtained by the "tangent and chord method": Given two points P and Q, the straight line con- 
taining them intersects the curve in a third point R (if P — Q take the tangent to the curve at P). 
Define P + Q as being the point {x{R), — y(R)). This provides a commutative and associative law 
of composition, whose zero element is the point at infinity: («, «) We denote the set of points 
(including the point at infinity) of the curve E with coordinates in the field F by E{F) The 
discriminant of the curve A = 16(4a J — 27b 2 ) . The elliptic curve 

£ x : y = x + A ax + K b 

is isomorphic to the curve E above by the substituion 

We say the E is minimal if a and b are integers, and there is no integer A # + 1 such that A* | a and 
X 6 1 6. Clearly, every elliptic curve is isomorphic to a minimal one. We denote the discriminant of 
the minimal curve isomorphic to E by A min . There is a slightly more general definition of minimal 
by using a more complicated model for an elliptic curve (see [1]). Its value of differs by a 
factor dividing 24, from the one described above. 

To calculate multiples of a point P = (xj>) we may use the following recurrences (see Lang [1], 
p. 37): 



420 



fe = l 

4 2 2 

g 3 = 3x + 6ax + 126x — a 

g 4 = x 6 + 5a/ + 20ta 3 - 5a V - 4«&c - 8b 2 - a 3 

Sin = &i(Sn+2&i-l ~ S„-2S„ + l) 
.,-4 3 3 

g4„+l = ioy g 2n +2S2 n - Sln + lSln-l 

3 4 3 

£4„+3 = S2n+3S2n + l ~ 16 > 82n+2g2n 

fin = 2 yS2n 
fln + l = S2n+1 

= -fn + lfn-1 

Then 

Using the above recursions we may calculate the coordinates of the above point in 26 log 2 n multi- 
plications. 

We let F f denote GF(q), the finite field with q elements. We now state a few results for elliptic 
curves which are needed for the discussion in the next section. Two good general references for 
elliptic curves are Cassels [11] and Lang [1]. AH of the results quoted below are contained therein, 
unless indicated otherwise. The number of points, | £(F ) | = p + 1 — a f where | a f I < 2/fT (the 
"Riemann hypothesis for finite fields" proved by Hasse in 1931 for Elliptic curves). The 
Mordell-Weil theorem states that the rank of the free part of the group £(Q) is finite (for any 
specific E). In fact it is usually quite small. Indeed, no one to date has been able to find an elliptic 
curve with rational coefficients whose rank is greater than 14 (this record is held by J-F Mestre, 
see [12] for a description of a rank 12 case). 

A fundmental theorem of Neron and Tate (see [1]) is that there exists a unique positive semi- 

A 

definite quadratic function h (P) such that for all P e E(Q) (even on E(M) where M is a number 
field) such that 

h{P) = h{P) +0(1) 

The O(l) is quite small, even being bounded by log max( | a I . \ b\ ) (see Zimmer [15]). In fact this 

A 

bound always seems to be much too large (see [16]). We also have h (P) = 0 if and only if P is a 



42 



point of finite order (of which there are at most 16, by a theorem of Mazur). The meaning of 
h (i 3 ) being a quadratic function is that 

<P, Q> = h(P + Q) - h(P) - HQ) 

is a positive definite inner product. If P l7 . . . , P r is a basis for the points of £(Q) of infinite order, 
we define the regulator to be 

R = det«/>-, Pj» 

This value is independent of the basis chosen. We also define \P\ = V <P, P> . In this case 
<P,P> = l/2/i(P). 

Key exchange, and discrete elliptic logarithms 

The Diffie-Hellman key exchange protocol [3] was proposed to allow the agreement on a secret 
key between two parties communicating over an insecure channel. It operates as follows: A large 
prime p and a primitive root g of p are made public. Party A chooses an exponent a between 0 and 
p — 1 at random. Party B does the same with an exponent b Party A transmits g° to B, and vice- 
versa. Both parties agree on g ai . The security of this protocol rests on two unproven (but reason- 
able) assumptions: 

1. Any method of obtaining g°* from g° and g b would be as hard as obtaining a from g' (taking 
"discrete logarithms"). 

2. If p — 1 did not have only small prime factors, that finding discrete logarithms was intractible 
(i.e. could not run in time polynomial in logp). 

Neither assumption has been disproven. However, Western and Miller [4], and Adleman [5] have 
come up with algorithms for the discrete logarithm problem which run in time Lip), where 

L(x) = expfVlogxloglog* ) 

In addition, Pohlig and Hellman [17], and Pollard [18] have a method for calculating discrete log- 
arithms, depending only on the fact that we are working in a group, which runs in time 
where p' is the largest prime factor of p — 1. Given current processing speeds, this escalates the 
size of the prime p which must be used, in order to make this method more secure. A figure of 
^=2 512 seems to be necessary. 

The above protocol really only uses the property that we are working in a group. As stated 
above, the points on an elliptic curve have the structure of an abelian group. Thus we may make 
the analogous constructions over elliptic curves. We shall briefly describe the "Index Calculus" 
algorithm of Adleman, and Western and Miller, and give arguments why such an algorithm is not 
likely to work on elliptic curves. We have the reduction map: 



422 



G m (Qo») - c m (rp 

denoted by x -* x. Now 



I GJr, log y/p~/2) ! = | G m (r, log y/p~/2) \ 

Let prob(r) = | G„0, log Sp/2) \/{p — 1). This is the probability that an element of the multipli- 
cative group is in the above image. As r increases to ir(//T /2), prob(r) increases to 1. 

The "index calculus" method fixes a value of r, and chooses elements a e F f at random until 
there b x e G m {r, log Jp /2) such that x = g". The probability of that succeeding is prob(r). To 
each such successful test we have an equation 

a = ''o'o + • • - + v r 1 r mod P — 1 ( J ) 

where 

x= (-1 ^ (2) 

and 4 is such that />,. = g'k mod /> — 1 where p 0 — — \. Evidently, we have /„ = (p — 1 )/2. We need 
to generate r such independent equations. Once we have accumulated them, we may solve for the 
I,- 

Given z e F f , we find / such that z = g' as follows: Choose a mod p — 1 at random until there 
exists x e G m (r, log Sp~ /2) such that x = z". Then 

a/ = v 0 l 0 + + ... + vj r 

where 

*=PoW - --Pr 

We may then solve for /. Each such test has probability probf/) of succeeding. 

There is a trade-off between increasing r in order to make prob(r) bigger (in order to decrease 
the expected number of tests to make), and in decreasing r in order to make the calculation of the 
decomposition (2) faster, and of solving a smaller system of equations. Fortunately, good algo- 
rithms exist for both the latter problems. Using the new factorization algorithm of Lenstra [2], 
we may find the decomposition (2), or signal failure, in time 

0(l(p)^ +e ) 



where 



423 



log p r log r + log log r 

a — ^ 

\ogp logp 

The equations (1) are provably sparse, namely at most logp of the v, are y£ 0, because p x . . .p,—e' 
by the prime number theorem. We may solve these equations in random time Q{P- log 2 ?) by the 
algorithm of Wiedemann [13]. It is evident that this last figure is the big bottleneck in trying to 
make r larger. It turns out that the optimum trade off is made by letting r — Lipf 1 " 1 for some small 
constant c between 3/2 and 2. The total running time turns out to be L{p) c . Recently, 
Coppersmith, Odlyzko, and Schroeppel have devised a slightly more complicated variant of the 
above, which has the above running time with c = 1. 

The reason why the above algorithm works so well, is that there are lots of free generators for 
the group G m (Q w ), which have fairly small heights. If one tries to use an analogous method with 
elliptic curves, one immediately runs into the barrier of the Mordell-Weil Theorem (see above). 
We show below, that this finititude of the rank combined with other estimates, that it is extremely 
unlikely that an "index calculus" attack on the elliptic curve method will ever be able to work. 
We may view £"(Q)®R as an r-dimensional inner product space, with the inner product given 
above, which contains E{Q) as a lattice, whose fundamental domain has volume >//T. Thus, 

y 

|£(Q)nif(^Q ! = 2 — r ~-K rn + 0(A- (r_1)/2 ) 

where V r is the volume of the r dimensional sphere of radius 1 . Thus, unless the rank of the curve 
can be made very large, and the regulator made fairly small, the probability of a point of £(F ; ) 
lifting to a point on £(Q) whose height is bounded by something reasonable (say a polynomial in 
log/! ) is vanishingly small. In particular, in order to make the probality of finding a point with a 
specified height < p" it is necessary to make K= Q{p^~° )/r ). That is we must compute points 
whose coordinates are represented by rational numbers whose length is exponential in log p. That 
is rather a daunting prospect! 

Despite the remarks above about it being difficult to find curves of large rank, it is widely be- 
lieved that there is no bound on the rank attainable. However, it is also true that rank 
CE(Q)) = 0( log max( I a | , | b \ )). This shows that the size of the coefficients needs to be expo- 
nentially larger than the rank. This would seem to preclude high rank from the point of view of 
computational complexity. In fact, the above bound is really quite bad, which would tend to 
make the situation much worse from the point of view of computational complexity. As far as a 
lower bound on the regulator, Lang has conjectured [1], and Silverman proved [7](in some cases) 



424 



A 



A 



that if h (P) ^ 0 that h {P) > c t log | A,^ | + c 2 for some constants c,. This estimate is even true 
over algebraic number fields, with the constants depending on the field. Laurent [8] gives a pre- 
cise lower bound for the constant Cj , if one has c 2 = 0 (this only make c, larger ), of 
Cj/ (D( log log Dy) where D is the degree of the field above Q and c 3 is an absolute constant inde- 
pendent of the curve and the field. These estimates say that the regulator can't be too small, as 
long as a and b can't get too big. This remark would seem to preclude an attack which tries to look 
at points in E(M) for some finite field extension M of Q. 

Even if one could somehow get around the barrier mentioned above there is still the problem 
of actually lifting a point. In the original case of G m it is trivial, or nearly so. In the case of an el- 
liptic curve it seems to be much more difficult. If we are given a point (xy) £ E(F p ) and some 
point (x 1i ,J'i) e E(Z/p k Z) which projects to the original point, we could find a rational point (X, Y) 
whose height is bounded by k log p — log 8 by an integer basis reduction algorithm ( 1? or 
Kannan) in the 3 dimensional lattice generated by the vectors 



However, there are many possible choices for (x^y-i), about p tn of them. Furthermore, even 
though they are parametrizable, the parametrization is non-linear. Thus, unless there is a new 
idea, it would seem that this is another barrier, difficult to surmount. 

Implementation and Practice 

A number of details need to be addressed in order to make this scheme practical: 

1. The actual algorithm for multiplication on an elliptic curve 

2. The choice of the parameters A and B for the elliptic curve. 

3. The choice of the prime modulus p. 

4. What information needs to be transmitted. 

There are two possible algorithms that one could use for multiplying a point by an integer: the 
recursion cited above, or repeated use of addition and doubling with the binary method for mul- 
tiplication. In either algorithm, it appears to be best to represent the points on the curve in the 
following form: Each point is represented by the triple ixjrj) which corresponds to the point 
{x/z 1 ,y/z v ). This is a homogeneous representation with x having weight 2,y having weight 3, and 
z having weight 1. If this representation is used with the recursions in the first section, then it is 
easily checked that the only change is in the initialization. A simple induction shows that g in has 
weight An 7 - — 4, and that g 2 „*i has weight 4n 2 + An. 




425 



In order to be secure from the Pohlig-Hellmann (or Pollard) algorithm, it is necessary that N p , 
the number of points of E in F^, have a prime factor > p" , for a as close to 1 as possible. This is 
made possible by the algorithm of Schoof [19], which calculates in time polynomial in log p. In 
general it is not hard to find such good p. Theoretically, the best result known is one of Fouvry 
[20]: For any fixed non-zero integer a, a positive proportion of primes p have the property that 
the largest prime factor of p + a is > p s where 5 = 0.6687. 

Instead of using the Schoof algorithm, when searching for a good p. I have taken the following 
approach: Choose the curve to be: 

E: y = x — ax 

where a is not a perfect square. This curve has complex multiplication by V— 1 , and there is an 
exact formula for N f (see [10]). In the case p = 3 mod 4 we have N = p + 1. This is the so-called 
"supersingular" case. In this case we know even more. It is well known (see [1]) that any field 
containing the coordinates of all points of order / also contains the l-th roots of unity. This shows 
that a necessary condition for group of point over F to contain a subgroup isomorphic to 
Z//Z x Z/ /Z is that l\p — 1 . Because the number of points in the supersingular case is p + 1 we 
have 2 as the only possibility for /. But, in our case, this happens if and only if, a is a quadratic 
residue modulo p. To sum up, in the case above the group of points modulo p is of order p + 1 , 
cyclic in the case {a! p) = — 1, and a product of a cyclic group of order 2 and a cyclic group of or- 
der [p + l)/2 when {a/p) - 1. 

The above choice of curve was taken for convenience in calculation. However, it may be pru- 
dent to avoid curves with complex multiplication because the extra structure of these curves 
might somehow be used to give a better algorithm. 

Finally, it should be remarked, that even though we have phrased everything in terms of points 
on an elliptic curve, that, for the key exchange protocol (and other uses as one-way functions), 
that only the ^-coordinate needs to be transmitted. The formulas for multiples of a point cited in 
the first section make it clear that the x-coordinate of a multiple depends only on the x -coordinate 
of the original point. 

BIBLIOGRAPHY [1] Lang, Serge, Elliptic Curves: Diophantine Analysis, Springer- Verlag New 
York, 1978. 

[2] Lenstra, H. W., Letter to A. M. Odlyzko. 

[3] Diffie, W. and Hellman M., New Directions in Cryptography, IEEE Trans. Inform. Theory, 
IT-22 (1976), 644-654. 

[4] Western, A. E., and Miller, J. C. P., Table of Indices and Primitive Roots, Royal Society Math- 
ematical Tables, vol. 9, Cambridge Univ. Press, 1968. 



426 



[5] Adleman, L., A subexponentiai algorithm for the discrete logarithm problem with applications 
to cryptography, Proc. 20th IEEE Found. Comp. Sci. Symp. (1979), 55-60. 

[6] Odlyzko, A. M., Discrete logarithms in finite fields and their cryptographic significance, pre- 
print. 

[7] Silverman, J., Lower bound for the canonical height on elliptic curves, Duke Math. J. 48, 
633-648 (1981). 

18] Laurent, M., Minoration de la hauteur de Neron-Tate, Seminaire de Theorie does Nombres, 
Paris 1981-82, 137-151, Birkhauser (1983). 

[9] Birch, B. J., Swinnerton-Dyer H.P.F., Notes on Elliptic Curves I, J. reine u. angewandte Math., 
212,7-25 (1963). 

[10] Birch, B. J., Swinnerton-Dyer H.P.F., Notes on Elliptic Curves II, J. reine u. angewandte 
Math., 218, 79-108 (1965). 

[11] Cassels, J. W. S., Diophantine Equations with special reference to elliptic curves, J. London 
Math. Soc.,41, 193-291 (1966). 

[12] Mestre, J-F., Courbes elliptique et formule explicites, Seminaire de Theorie does Nombres, 
Paris 1981-82, 179-187, Birkhauser (1983). 

[13] Wiedemann, D., Solving sparse linear equations over finite fields, preprint. 

[14] Coppersmith, D., Odlyzko, A. M., and Schroeppel, R., Discrete logarithms in GF(p), IBM 

Research Report RC 10985 (1985). 

[15] Zimmer, H. G., On the difference of the Weil height and the Neron-Tate height, Math. Z. 147 
(1976) 35-51. 

[16] Buhler, J., Gross, B., and Zagier, D., On the conjecture of Birch and Swinnerton-Dyer for an 
elliptic curve of rank 3, preprint. 

[17] Pohlig, S. and Hellman, M., An improved algorithm for computing logarithms over GF(p) and 
its cryptgraphic significance, IEEE Inform. Theory IT-24 (1978). 106-110. 

[18] Pollard, J. M., Monte Carlo methods for index computation (mod p), Math. Comp. 32 
(1978), 918-924. 

[19] Schoof, R., Elliptic Curves over finite fields and the computation of square roots mod p, Re- 
port 83-09, Math. Inst. Univ. v. Amsterdam (1983). 

[20] Fouvry, E., Theoreme de Brun-Titchmarsh; application au theoreme de Fermat, Invent. 
Math. 79 (1985), 383-407. 

[21] Bremner, A. and Cassels, J. W. S., On the Equation Y 1 = A'OY 2 + p) , Math. Comp. 42 (1984). 
257-264. 



Cryptography with Cellular Automata 



Stephen Wolfram 

The Institute for Advanced Study, Princeton NJ 08540. 
(November 1985) 



EXTENDED ABSTRACT* 

This abstract discusses a stream cipher based on a simple one-dimensional cellular automaton. 
The cellular automaton consists of a circular register with N cells, each having a value a ; equal to 0 or 
1. The values are updated synchronously in discrete time steps according to the rule 

a- = a^, XOR (a ; OR a, +1 ) , (la) 

or, equivalently, 

<*{ = (a,_i + a, + a M + a,-a M ) mod 2 . (lb) 

The initial state of the register is used as a seed or key. The values a M attained by a particular cell 
through time can then serve as a random sequence. Ciphertext C can be obtained from binary plaintext 
P as usual according to C; = Pi XOR a w ; the plaintext can be recovered by repeating the same opera- 
tion, but only if the sequence a w is known. 

Cellular automata such as (1) have been investigated in studies of the origins of randomness in 
physical systems [2J. They are related to non-linear feedback shift registers, but have slightly different 
boundary conditions. 

Figure 1 shows the pattern of cell values produced by (1) with a seed consisting of a single 
nonzero cell in a large register. The time sequence of values of the centre cell shows no statistical 
regularities under the tests of ref. [3] (for sequence lengths up to 2"s5xl0 5 ). Some definite spacetime 
patterns are nevertheless produced by the cellular automaton rule. 

In the limit N— the cellular automaton evolution is like an iterated continuous mapping of the 
Cantor set, and can be studied using dynamical systems theory [4]. One result is that the evolution is 
unstable with respect to small perturbations in the initial seed. A change produced by reversing a sin- 
gle cell value typically expands at a rate given by Lyapunov exponents, equal to 0.25 on the left, and 1 

• Many more details are given in ref. [1]. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 429-432, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



430 



on the right. Length T time sequences of cell values are found however to be affected on average only 
by about 1.19r initial values. 

Iterations of the cellular automaton rule (1) can be considered as Boolean functions of initial cell 
values. Disjunctive normal forms (minimized using 15]) for these functions are found to increase in size 
roughly as 4 0 - 65 ', giving some indication of the complexity of the cellular automaton evolution. 

Figure 2 shows the complete state transition diagram for the cellular automaton (1) in a register 
of size A/=ll. For large N, an overwhelming fraction of states lie on the longest cycle. But there are 
also shorter cycles, often corresponding to states with special symmetries. Figure 3 shows the length of 
the longest cycle as a function of A r . The results (up to N=53, which gives cycle length 40114679273) 
fit approximately 2 061N . The mapping (1) is not a bijection, but is almost so; only a fraction 
(Kj^sO.SS^ of states do not have unique predecessors [6] (k is the real root of 4k 3 -2k 2 -1=0). 

The security of a cryptographic system based on (1) relies on the difficulty of finding the seed 
from a time sequence of cell values. This problem is in the class NP. No systematic algorithm for its 
solution is currently known that takes a time less than exponential in N. No statistical regularities have 
been found in sequences shorter than the cycle length. 

One approach to the problem of finding the seed [6] uses the near linearity of the rule (1). Equa- 
tion (1) can be written in the alternative form = a{ XOR (a ( OR a M ). Given the values of cells in 
two adjacent columns, this allows the values of all cells in a triangle to the left to be reconstructed. But 
the sequence provided gives only one column. Values in the other column can be guessed, and then 
determined from the consistency of Boolean equations for the seed. But in disjunctive normal form the 
number of terms in these equations increases linearly with N, presumably making their solution take a 
time more than polynomial in N. 

The cellular automaton (1) can be implemented efficiently on an integrated circuit; it requires less 
than ten gate delay times to generate each output bit, and can thus potentially be used in a variety of 
high-bandwidth cryptographic applications. 

Much of the work summarized here was done while I was consulting at Thinking Machines Cor- 
poration (Cambridge, MA). I am grateful for discussions with many people, including Persi Diaconis, 
Carl Feynman, Richard Feynman, Shafi Goldwasser, Erica Jen and John Milnor. 



References 

1. S. Wolfram, "Random sequence generation by cellular automata", to be published in Advances 
in Applied Mathematics. 

2. S. Wolfram, "Origins of randomness in physical systems", Phys. Rev. Lett 55, 449 (1985); S. 
Wolfram, "Cellular automata as models of complexity", Nature 311, 419 (1984). 

3. D. Knuth, Seminumerical Algorithms, (Addison-Wesley, 1981). 

4. S. Wolfram, "Universality and complexity in cellular automata", Physica 10D, 1 (1984). 

5. R. Rudell, espresso software program. Computer Science Dept., University of California, Berkeley 
(1985). 

6. C. Feynman and R. Feynman, private communication. 



431 




Figure 1. Pattern produced by evolution according the cellular automaton of eqn. (1) from a simple seed 
containing a single nonzero bit 250 successive states of an arbitrarily large register are shown; black 
squares represent nonzero cells. Columns of cell values, say in the centre, seem random for practical 
purposes. 




Figure 3. Length of the longest cycle as a function of register size .V. 




Figure 2. Complete state transition diagram for the cellular automaton of eqn. (1) in a circular register 
of size JV=I1. There are 2" states, each represented by dots. Evolution from any state leads eventually 
to one of the cycles shown. 



Efficient Parallel Pseudo-Random Number Generation 

J. H. Reif 1 

J. D. Tygar 2 

Aiken Computation Laboratory 
Harvard University 
Cambridge, MA 02138 



0. Abstract 

We present a parallel algorithm for pseudo-random number generation. Given a seed 
of n e truly random bits for any e > 0, our algorithm generates n c pseudo-random bits for 
any c > 1. This takes poly-log time using n l processors where e' = ke for some fixed small 
constant k > 1. We show that the pseudo-random bits output by our algorithm can not be 
distinguished from truly random bits in parallel poly-log time using a polynomial number of 
processors with probability 1/2 + l/n"' 1 ' if the multiplicative inverse problem almost always 
can not be solved in ENC. The proof is interesting and is quite different from previous proofs 
for sequential pseudo-random number generators. 

Our generator is fast and its output is provably as effective for RNC algorithms as truly 
random bits. Our generator passes all the statistical tests in KNUTH[14]. 

Moreover, the existence of our generator has a number of central consequences for com- 
plexity theory. Given a randomized parallel algorithm A (over a wide class of machine 
models such as parallel RAMs and fixed connection networks) with time bound T(n) and 
processor bound P(n), we show A can be simulated by a parallel algorithm with time bound 
T[n) + 0((log n) (log log n)), processor bound P(n)n € , and only using n e truly random bits 
for any £ > 0. 

'Supported in part by NSF grant NSF-MCS-79-21024 and ONR contract N0014-80-C-0674. 
Supported in part by a NSF graduate fellowship and NSF grant MCS-81-21431. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 433-446, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



434 



Also, we show that if the multiplicative inverse problem is almost always not in RNC, 
then RNC is within the class of languages accepted by uniform poly-log depth circuits with 
unbounded fan-in and strictly sub-exponential size (~| 2™ . 

(>0 

1. Introduction 

A number of parallel randomized algorithms have appeared recently. These algorithms 
typically use a large number of random bits which must be generated in a small amount of 
time. Nonetheless, the area of parallel random bit generation remains unexplored. 

In reality, our computers are deterministic and unable to generate truly random values. 
But we can give algorithms which will give pseudo-random bits on input of a random seed 
5o- These pseudo-random bits satisfy conditions which suggest that for algorithmic purposes 
they are as effective as truly random bits. 

What conditions should a pseudo-random bit sequence satisfy? 

Improving an idea by SHAMIR[l7], BLUM- MlCALl[6] argue that the notion of "cryp- 
tographic strength" captures the important facets of random sequences. To demonstrate 
cryptographic strength they follow this schema: 

1. Upper bound the computational resources by Resources A. 

2. Assume that Problem B cannot be solved within the limits of Resources A. 

3. Produce a Pseudo-Random Bit Generator G 

4. Argue that if an opponent sees the first m 0 bits generated by Pseudo-Random Bit Gen- 
erator G and can utilize Resources A to predict the remaining bits with an accuracy 
rate of 1/2 + (where m is the size of the seed and e is a fixed function satisfying 

lim e(m) = 0), then the opponent will be able to solve Problem B limited to Resources 
A by consulting the bit-guessing oracle, a contradiction. 

Several cryptographically-strong pseudo-random bit generators have been proposed (BLUM- 
BLUM- SHUB[5], BLUM-MlGALl[6],) and many applications have been discussed (ALEXI- 
- CHOR- GOLDREICH- SCHNORR[3] , GOLDREICH- GOLD WASSER-MlCALl[9], GOLDWASSER- 
MlCALI-TONG[l0], VAZIRANI-VAZIRAN1|20], YAO[22|.) These generators are all inherently 
sequential, require polynomial time, and their cryptographic strength relies on some unproven 
cryptographic assumption. 



435 



Notation 

When we say a class of circuit is uniform, we mean that it is constnictible in logarithmic 
space by a deterministic Turing Machine. 

NC (NCrj) is the class of languages accepted by (uniform, respectively) deterministic 
circuits with poly- log depth and polynomial size. 

RNC (RNC-u) is the class of languages accepted by (uniform, respectively) randomized 
circuits with one-sided error, poly-log depth, polynomial size, and acceptance probability 
greater than 1/2. 

We give more precise definitions of these terms in section 4. 

Our Result 

We present a new cryptographically-strong pseudo-random bit generator which runs in 
NCtj but which is secure against attacks taking parallel poly-log time if the multiplicative 
inverse problem almost always is not in RNC. While we use the schema described above for 
demonstrating the cryptographic strength of our random number generator, because of the 
inherent parallel nature of our generator, the technical details of our proof are quite different 
from those of previous proofs for sequential pseudo-random number generators. In particular, 
we prove that if the bits output by our pseudo-random bit generator can be predicted in NC, 
then we can solve the multiplicative inverse problem in RNC almost always and this requires 
that we construct an interesting, nontrivial, parallel algorithm for that problem. (See section 
3.) 

About the Assumption 

While our assumption has not been proved, it is quite interesting to observe that it is 
testable in the following sense: If a RNC algorithm takes more than poly-log time using our 
pseudo-random bits instead of truly random bits then we can observe this event by timing. 
Thus one of two scenarios is possible: either every application of our generator to a RNC 
algorithm yields a poly-log algorithm using only a small number of random bits, or some 
application of our generator is discovered to exceed its poly-log time bounds and we can 
immediately derive a NC algorithm for multiplicative inverse. 



436 



About the Measure of Randomness 

VALIANT- S YKUM- B ERKO WITZ - R ACKOFF [19] show that an NC-machine can evaluate 
any straight-line program which computes a multivariate polynomial which has degree poly- 
nomial in the length of the program. Thus if our assumption is correct, our pseudo-random 
bit generator is secure against any statistical test which can be so formulated as a straight- 
line program. This includes most standard statistical tests for random number generators. 
(KNUTH[14]) 

Applications 

Our method for parallel pseudo-random bit generation is actually very practical. It 
requires, for any e > 0, only 0(log n(loglog(n))) added depth and a factor of n e for a bounded 
fan-in circuit. Here is an example: KARP- WlGDERSON[12] gives a deterministic algorithm 
for the maximal independent set problem in 0((\ognY) time using 0(n 3 /(logn) s ) processors. 
They also give a uniform randomized algorithm for the same problem running in 0((log n) s ) 
expected time with O(n') processors using 0(n 2 ) random bits. Our results immediately yield 
an uniform algorithm with 0((logn) 3 ) running time and 0(n 2+< ) processors using only n e 
random bits, where e , c* > 0 can be set arbitrarily small. 

Recently KARP- UPFAL- WlGDERSON[l3] have shown that finding a maximum graph 
matching is in RNCrj, and ANDERSON(2] has shown that finding a maximal path is in 
RNCtj. Our results also immediately yield efficient randomized uniform algorithms for these 
problems, using only n e bits for any f > 0. 

In further work REIF-TYGAR[16], we have applied results given in this paper to prove 
randomness properties of rational linear iterative maps modulo 1. 

Implications 

An interesting theoretical application of our result is that RNCtj is contained within 
the class of languages recognized by uniform deterministic circuits of unbounded fan-in with 
poly-log depth and 2 n ' size for any e > 0. (ADLEMAN[lj proved RNCtj is contained in 
(non-uniform) NC, but the previous best construction for bounding RNCtj by deterministic 
uniform circuits of poly-log depth required 2 n ("' size.) This extends a result of YAO[22j for 
sequential polynomial time computations to poly-log time parallel computations. 



437 



2. Definitions and Results 
Notation 

We use the following notation throughout the paper: 

N A positive composite integer such that each prime factor of N is greater than N c for a 
fixed c> 0. 

ZJf The multiplicative group of positive integers less than and relatively prime to N. (Note 
that the fact that N has only large factors implies that a random positive integer less 
than TV is an element of Z' N with high probability.) 

We will sometimes use x mod N to indicate the residue of x modulo N. 
Definitions 

A NC-machine (COOK[8j) is a deterministic parallel algorithm which runs on n 0 ' 1 ' P- 
RAM processors in time (logn) 0 ' 1 ' for input of size n. (Note that NCtj is the class of 
languages accepted by NC-machines.) 

A RNC -mac/tine is a randomized parallel algorithm which runs on rc 0 ' 1 ' P-RAM pro- 
cessors in time (logn) 0 ' 1 ' for input of size n. (Note that RNCtj is the class of languages 
accepted by RNC-machines.) 

Given So 6 Z* N , the multiplicative inverse of so modulo JV is the s^ 1 such that So-Sq 1 = 
1 mod N. 

For a fixed N, given an arbitrary k £ Z* N , the multiplicative inverse probiem is to find the 
multiplicative inverse of fc modulo JV. Note that the input size to the problem is n = [log TV] 

The problem of finding multiplicative inverses in poly-log depth has been studied ex- 
tensively. (Cook[8], Kannan- Miller- Randolf[11], Reif[15], Von Zur Gathen[2i!.) 
Based on the lack of significant positive results obtained so far we conjecture: 

Complexity Hypothesis 

There exists an inifinite sequence of numbers N lt N' 2 , . . . constructable in NCtj such that 
for each n = 1, 2, ... we have n = [log N„] and that for almost all n, no RNC-machine exists 



438 



which can on arbitrary input from Z' N solve the multiplicative inverse problem on any of those 
elements. 

(Actually we could replace this complexity assumption with the weaker assumption that 
there exists a k such that for almost all n there exists an n' such that n < n' < n k and no 
RNC-machine can solve multiplicative inverse problem where the input can again range over 
arbitrary elements of 7,' N All the theorems in this paper would remain true under that 
weaker assumption.) 

Definitions 

A set S of bit sequences a = (61, . . . ,bj) of length / = n 0 * 1 ' pseudo-random bits is^RNC- 
cryptographically strong if no RNC-machine can, on a random input ij, . . . , 6; £ a (>' < J, a 6 

5} predict any one bit b i+ i bj with expected success of 1/2 -f- l/rc 0 ' 1 '. Informally, the bit 

sequences are RNC-cryptographically strong if no RNC-machine can predict untransmitted 
bits with an expected success rate significantly better than 1/2. 

Theorem 

If the complexity hypothesis holds there exists a deterministic NC-machine Q which 
on an input seed of n bits outputs a RNC-cryptographically strong sequence of J = n 0 ' 1 ' 
pseudo-random bits. Q can be computed by a bounded fan-in uniform boolean circuit of 
depth £?((logre)(loglogra)) and size n°W. 
This theorem is proved in section 3. 

Definition 

A RNC -statistical test is a RNC-machine which attempts to distinguish truly random 
bit sequences from pseudo-random bit sequences. A statistical test succeeds if it correctly dis- 
tinguishes the pseudo-random bit sequences from truly random bit sequences with probability 
at least l/n 0 ^. 

By a technique due to YAO[22) we can show that no RNC statistical test can succeed on 
RNC-cryptographically strong bit sequences. Hence: 



439 



Corollary 1 

If the complexity hypothesis holds then no RNC-statistical test can succeed on our 
pseudo-random bit generator Q. 

Corollary 2 

If the N„ are constructable in depth h(n) , then given a randomized parallel algorithm A 
(over a wide class of machine models such a parallel RAMS and fixed connection networks) 
with time bound T[n) and processor bound P{n), then A can be simulated by a parallel 
algorithm with time bound T{n) + k[n) + 0((log n)(log log n)), processor bound P(n)n £ , and 
only using n' truly random bits for any e > 0, where d = 0(e). 

CIRCUITu(-D(n), 5(n)) is the class of languages accepted by uniform deterministic circuits 
with unbounded fan-in, depth D{n), and size S(n). (See section 4 for a precise definition of 
these complexity classes.) 

Corollary 3 

If the complexity hypothesis holds then 

RNCtj C (J ("I CIRCUITu((logn) c ,2"') 
This corollary is proved in section 4. 

Corollary 4 

There exists a cryptosystem where encryption and decryption can be done by a NC- 
machine on n 0 ' 1 ' bits given a secret shared key exactly n bits long (here n is a security 
parameter). If no RNC-machine can solve the multiplicative inverse problem then no RNC- 
machine can decrypt ciphertext exchanged in this cryptosystem. 

We use the pseudo-random bits as a "one-time pad" — we take the sequential exclusive-or 
of the plaintext and the pseudo-random bits to produce the ciphertext and take the sequential 
exclusive-or of the ciphertext and the pseudo-random bits to obtain the plaintext again. 
Encryption and decryption both take parallel poly-log time but an opponent cannot decrypt 
the ciphertext with RNC-machine. 



440 



3. The Proof of the Main Theorem 
Properties 

We recall the following facts which we use implicitly (BEAME- COOKE-HooVER[4], 
REIF[15], SHONHAGE-STRASSEN[l8]): 

• There exists a NC-machine for multiplication of two numbers in Z* N . 

• 2logp multiplications suffice to find the p' h power of a number in Z" N . 

• If p < (log JV)°W, there exists a NC-machine for finding the p ,h power of a number in 
Z' N . 

Fix m = [log N] throughout this section. 

Let § be the NC-machine which performs the following operations: 
Input: random elements so,k € Z' N . 
Output: b lt ...,bj where J = m°( l \ 

Method: In parallel each processor P< (t = 1,...,J) calculates s, = ks' Q mod N and 
&/_;+! = B(si) where 

( 0 if x < N/2 

B(x) = 

[ 1 if i > N/2 

Lemma 

If there exists a RNC-machine which can determine the value of bj with probability 1 
(i.e., no error) on input bi,...,bj-i, then there exists a RNC-machine which can solve the 
multiplicative inverse problem for Z^ n . 

Proof of Lemma 

Suppose that MB (for "magic box") is an oracle which can determine the value of bj with 
probability 1. Then given s 0 € Z" N we can find Sq 1 mod jV. We can find this by running in 
parallel the following algorithm on each processor P ; for (0 < j < m): 

Set k «- V. In parallel set 6; <- B{ksi~^ 1 ) for 1 < t < J - 1. Note that bj = B(2^o 1 ). 
Feed the sequence (6 t) . . . , bj-{] to MB to get bj. Set the j th most significant bit of S to be 



441 



B(2'so l ). Define 



SN 

2 m 



Then 4(5) = 1 mod N. □ 
Theorem 

If there exists a RNC-machine which can determine the value of bj with probability at 
least l/2 + l/ro 0 ' 1 ' on input &i, . . . ,6j_i then there exists a RNC-machine M which can solve 
the multiplicative inverse problem for ZJ^. X can be computed by a bounded fan-in boolean 
circuit of depth O ((log n) (log log n)) and size n 0 ^. 



Proof of Theorem 

Assume that that there exists a RNC-machine MB which can predict bj with probability 
1/2 + 2/m c . Let H = 2(c + l) flog m] . Let <5 and tf> be as in the proof of the lemma. 

Let S = {0,1,. . . ,2 U ~ 1 — 1}. For each 0 < y < x < m, we will create, by randomized 
methods, two functions F xy : S — * {0,1}"'" and G x<v : S — ► S. Informally, values in S are 
guesses; F Zill is a rule for transforming a guess j z 6 S into the x th to y th most significant bits 
of 6; and G XiV is a rule for transforming the guess j x e 5 into the guess j v £ 5. 

If a RNC-machine could find <5 for arbitrary s 0 , we could solve the multiplicative inverse 
problem. It will turn out that for some j m e S, that -F m ,o(i m ) = 5 with probability 1/2. We can 
verify this occurence simply by checking whether s 0 <j>(£) = 1 mod JV. If we don't immediately 
find Sq 1 mod N, we simply form a new F mt o by randomized methods, and continue testing 
until we do find 1 mod N. 

Suppose we can determine j x such that we know that (2"s$ 1 mod N) belongs to one of 
the two intervals 



2" 



(2»- L +j x )N 



2" 



(2 h 



~ Jr -T 



1)N 



1 H 



We can pick 2 H random values 0 €. 2* N and let v be MB's prediction for 

N] X 



Bp's? 



2 H 



When /9 lies in the interval 



(2* 



+ 0 mod N). 



1)N 



442 



mark a vote for v, when /? lies in the interval 



(2 H - 1)N 



2 H 



mark a vote the complement of v, and mark a null vote when /? lies in other intervals. By 
assumption, MB predicts correctly with probability at least 1/2 + 2/m c . 

We can assign a processor to calculate MB's prediction for each of the 2 H randomly chosen 
values of 0 £ Z' N . This computation can be done in poly-log time for each /3. The expected 
fraction of null votes is 2 1 ~~ flr < l/m c . Thus we have a bias of at least 2/m c — l/m° = l/m e 
between 0 and 1 votes. Set F I:Z -i(j x ) (our guess for B(2 I So 1 mod .V)) to be a value which got 
the most votes. If our guess for B(2 z Sq 1 mod N) is right, this immediately identifies which 
of the two intervals that (2'sq 1 mod N) belongs to. 2 H tests are sufficient to make our guess 
correct with probability at least 1 — l/2 m . This result follows immediately from Chernoff 
bounds (CHERNOFF [7]); full details will appear in the complete paper. If our guess is right, 
that immediately determines the value of j x -i; that is, we can determine that (2 i_1 Sq 1 mod 
JV) lies in one of the two intervals 



2" 



2" 



2" 



namely 

J„-i = G^ x {j x ) = U./2J + 2*- , (/i,,_ 1 (j I )) 
We can calculate in parallel, for each to > x > 1, the functions F IiX _i and G^,.], since 
the domain is finite and of polynomial size. If I — y > 1, then iy^ and G I|1( can be recursively 
defined as 

F t , v (i.) - F, J ,(G„(j I ))2 M + 

and 

where z = [(r + t/)/2]. For each x,y pair (0 < y < x < m) and each j t £ 5 we repeatedly 
calculate the appropriate compositions of these functions for all j z in the domain of the 
functions. Thus we can compute F m 0 in flogm] stages. 

Some guess j' m is correct. Suppose that for all 1 < t < m, that (l) Gjj_i(j,) is the 
correct value of Then (2) F mSS {j m ) would be the correct value of <5. For each t, the 

probability that (l) is true for a particular j\ is (1 — 2~ m ), so the probability that (2) is true 
is (1 - 2~ m ) m - 1 > 1 - [m - l)2~ m > 1/2. 



443 



For some j m £ S, it will be true that F mfi (j m ) — S with probability 1/2. We can try 
all possible j m in parallel, and find out if we have a correct value by checking whether 
<f>{F m fl{jm.))so = 1 mod N. (Of course, it might happen that an incorrect guess for j m might 
give a connect value for S but this can only speed the calculation.) In the event that we do 
not get the correct value for Sq 1 mod jV, we simply form new F Cit and G Zill functions and 
continue until we do get the correct value. Q 

4. Randomized and Deterministic Parallel Complexity 

Let C be a list of circuits (C\,Ci,. . .) of unbounded fan-in where C„ has n inputs and 
size We consider C to be uniform if there exists a (logS(rc)) space deterministic Turing 

machine which, given any n, outputs the circuit C„. Let CIRCUIT(D(n), 5(n)) be the class of 
all languages accepted by deterministic boolean circuits with unbounded fan- in, depth D(n), 
and si2e S(n). As usual we define 

NC= \J CIRCUIT((logn) t ',n 1 ') 

ii>O,Jfc,>0 

We allow a randomized boolean circuit C to have r special nodes each of which are assigned 
independent random bits chosen from {0, 1} with equal probability. C accepts an input 
u £ {0,1}" if C outputs 1 with probability > 1/2; otherwise C rejects the input. For 
simplicity, we consider only one-sided error randomized circuits which never ouput a 1 on an 
input they have rejected. (The construction below can easily be extended to two-sided error 
randomized circuits which have an acceptance probability of at least 1/2 + \jn k for some 
k > 1.) Let RCIRCUIT(£'(n.), 5(n)) be the class of languages accepted by randomized circuits 
with unbounded fan-in, depth D(n), and size S(n). We define 

RNC = [J RCIRCUIT((logn) l: ',n tl ) 

fci>0,Jt 2 >0 

We define CIRCUITu, NCu, RCIRCUITu, and RNCu analogously — restricting the circuits 
to be uniform. 

Corollary 3 

If the complexity hypothesis holds then 

RNCu C U Q CIRCUIT u ((logn) c ,2 n< ) 

C>0 £>0 



444 



Proof 

Let C be a (one-sided error) uniform randomized boolean circuit with n inputs, depth 
D(n) = (logn)* 1 , and size S(n) = n* 2 . Fix any e > 0. 

First suppose we had a source of b = [n £ ^ 2 j truly random bits. Observe that C uses 
at most S(n) = n* 2 random bits on each execution. Since S[n) < 6' where e' = fe/fcj] is 
constant, we can apply our parallel pseudo-random bit generator Q to produce S(n) pseudo- 
random bits in (logn) 0 ' 1 ' parallel time using n 0 ' 1 ' processors and using the 6 truly random 
bits as the seed. We can view the execution of C on the given input w as a statistical test. 
By Corollary 2, given an input u £ {0, l}", we need only execute Conu for each of the 2 4 
possible pseudo-random bit sequences. We accept uj if C ever outputs 1. 

Furthermore, we can avoid the use of a truly random seed by simply (1) enumerating all 
i>-bit numbers in parallel; (2) executing the parallel pseudo-random bit generator using each 
of the 6-bit numbers as a seed; and (3) executing C in parallel on w on each of the resulting 
pseudo-random bit sequences. If C ever outputs 1 we accept u. The resulting uniform circuit 
requires size 2 i2 < 2 n< and depth (logn) 0 ' 1 ' + 0{D{n)) = (logn) 0 ' 1 '. □ 

Note that if we require that our simulation circuit have bounded fan-in, then to simulate 
a circuit accepting a language in RNCtj, we require ra 0 ' 1 ' (rather than (log n)°M depth) and 
2" size. This is an improvement over previous size bounds for RNCn. 

6. Acknowledgements 

We would like to thank Michael Rabin for being an inspiration to us in the fields of 
randomized algorithms and cryptography. 

We are indebted to Silvio Micali for his many helpful and insightful comments on this 
manuscript. 

Also, thanks to Benny Chor, Shafi Goldwasser, Johan Hastad, Brian O'Toole, Charles 
Rackoff, Les Valiant, and Vijay Vazirani for their comments. 

7. Bibliography 

[1] L. ADLEMAN Two Theorems on Random Polynomial Time, Proc. 19th IEEE Symposium 
on Foundations of Computer Science, Ann Arbor, MI, October 1978, pp. 75 - 83. 



445 



[2] R. ANDERSON, A Parallel Algorithm for the Maximal Path Probltm, Proc. 17th ACM 
Symposium on Theory of Computing, Providence, RI, May 1985, pp. 33 - 37. 

[3] W. ALEXI, B. CHOR, O. GOLDREICH, AND C. SCHNORR, RSA/Rabin Bits Are 
1/2 + l/poly(log N) Secure, Proc. 25th IEEE Symposium on Foundations of Computer 
Science, Singer Island, FL, October 1984, pp. 449 - 457. 

[4] P. BEAME, S. COOK, AND H. HOOVER, Small Depth Circuits for Integer Prod- 
ucts, Powers, and Division, Proc. 25th IEEE Symposium on Foundations of Computer 
Science, Singer Island, FL, October 1984, pp. 1-6. 

[5] L. BLUM, M. BLUM, AND M. SHUB, A Simple Secure Pseudo-Random Number 
Generator, Proc. of CRYPTO-82, Santa Barbra, CA, September 1982, pp. 112 - 117. 

[6] M. BLUM AND S. MICALI, How to Generate Cryptographically Strong Sequences of 
Pseudo-Random Bits, SIAM J. Comp., 13 (1984), pp. 850 - 864. 

[7] H. CHERNOFF, A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on 
the Sum of Observations, Ann. Math. Statist., 23 (1952), pp. 493 - 507. 

[8] S. COOK, Towards a Complexity Theory of Synchronous Parallel Computation, (Pre- 
sented at) Inter. Symp. Logic. Alg. (1980). 

[9] O. GOLDREICH, S. GOLDWASSER, AND S. MICALI, How to Construct Random Func- 
tions, Proc. 25th Symposium LEEE Symposium Foundations of Computer Science, 
Singer Island, FL, October 1984, pp. 464 - 479. 

[10] S. GOLDWASSER, S. MICALI, AND P. TONG, Why and How to Establish a Private 
Code on a Public Network, Proc. 23rd IEEE Symposium Foundations of Computer 
Science, Chicago, EL, October 1982, pp. 134 - 144. 

[11] R. KANNAN, G. MILLER, AND L. RUDOLF Sublinear Parallel Algorithms for the 
Greatest Common Divisor of Two Integers, Proc. 25th IEEE Symposium Foundations 
of Computer Science, Singer Island, FL, October 1984, pp. 7 - 11. 

[12] R. KARP AND A. WlGDERSON, A Fast Parallel Algorithm for the Maximal Indepen- 
dent Set Problem, Proc. 16th ACM Symposium on Theory of Computation, Washington, 
DC, May 1984, pp. 266 - 272. 



446 



[13] R. KARP, E. IJPFAL, AND A. WIGDERSON, Constructing a Perfect Graph Matching 
in RNC, Proc. 17th ACM Symposium on Theory of Computing, Providence, RI, May 
1985, pp. 22 - 32. 

[14] D. KNUTH, The Art of Computer Programming, vol. S: Seminumerical Algorithms, 
2nd ed., Addison- Wesley, Reading, MA, 1981. 

[15] J. REIF, Logarithmic Depth Circuits for Algebraic Functions, Proc. 24th Symposium 
IEEE Foundations of Computer Science, Tuscon, AZ October 1983, pp. 138 - 145. 
Revised in Technical Report TR-84-18, Center for Research in Computing Technology, 
Harvard University. To appear in SIAM J. Comp. 

[16] J. REIF AND J. TYGAR, The Complexity of Chaotic Iterative Maps. To appear. 

[17] A. SHAMIR, On the Generation of Cryptographically Strong Pseudo-Random Sequences, 
ACM Trans, on Comp. Sys., 1, (1983), pp. 38-44. 

[18] A. SHONHAGE AND V. STRASSEN, Schnelle Multiplication grosser Zahlen, Computing, 
7 (1974), pp. 281 - 292. 

[19] L. VALIANT, S. SYKUM, S. BERKOWITZ, AND C. RACKOFF, Fast Parallel Com- 
putation of Polynomials Using Few Processors, SIAM J. Comp., 12 (1983), pp. 641 - 
644. 

[20] U. VAZIRANI AND V. Vazirani, Trapdoor Pseudo-Random Number Generators with 
Applications to Protocol Design, Proc. 24th IEEE Symposium Foundations of Computer 
Science, Tuscon, AZ, October 1983, pp. 23 - 30. 

[21] VON ZUR GATHEN, Private communication. 

[22] A. YAO, Theory and Applications of Trapdoor Functions, Proc. 23rd IEEE Symposium 
Foundations of Computer Science, Chicago, IL, October 1982, pp. 80 - 91. 



How to Construct Pseudo-random Permutations 
from Pseudo-random Functions 



Michael Luby 
Charles Rackoff 
Department of Computer Science 
University of Toronto 
Toronto, Canada M5S 1A4 

ABSTRACT 

Let F n be the set of all functions from n bits to n bits. Let /" specify 
■or each key & of a given length a function f£ E F n . We say /" is pseudo- 
random if the following two properties hold: 

(1) Given a key k and an input a of length n , the time to evaluate f* [a) is 
polynomial in n . 

(2) If a random key k is chosen, "looks like" a random function chosen from 
F n to any algorithm which is allowed to evaluate at polynomial in n 
input values. 

Let P 2n be the set of permutations (1-1 onto functions) from 2n bits to 2n 
bits. Let p 2n specify for each key I; of a given length a permutation 
Pit 2n 6 P 2n . We present a simple method for describing p 2n in terms of /" . 
The method has the property that if /" is pseudo-random then p 2n is also 
pseudo-random. The method was inspired by a study of the security of the Data 
Encryption Standard. This result, together with the result of Goldreich, 
Goldwasser and Micali [GGM], implies that if there is a pseudo-random number 
generator then there is a pseudo-random invertible permutation generator. We 
also prove that if two permutation generators which are "slightly secure" are 
cryptographically composed, the result is more secure than either one alone. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, p. 447, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



The Bit Security of Modular Squaring 
given Partial Factorization of the Modulos 

Honny ('hor* Odcd Coldreich' Shafi Goldwasser 
MIT, Laboratory for Computer Science 
Cambridge, MA 01239 



Abstract — It is known that given a composite integer N = p\P? { such that p\ = pa = 3 
(mod 4)), and q a quadratic residue- modulo N , guessing the least significant bit of a square root 
of q with any non-negligible advantage is as hard as factoring iV. 

In this paper we extend the above result to multi-prime numbers N = pip?- ■ -pi (such that 
P! = P2 = • • ■ = PI = 3 (mod 1)). We show that given N and q, a quadratic residue mod 
N, guessing the least significant bit of a square root of q is as hard as completely factoring N. 
Furthermore, the difficulty of guessing the least significant bit of the square root or q remains 
unchanged evert when all but two of the prime factors of /V, p 3 , ...,pi, arc known. 
The result is useful in desigihg multi- party cryptographic protocols. 

1. Introduction 

The problem of factoring large composite integers is perhaps the single most important 
computational problem in public key cryptography, as is evident from the large number of 
cryptosystems based on it (e.g. RSA [15], Itabin [13], Williams [18], Goldwasser-Micali [10]). 
The importance of the factoring problem motivated various research efforts. Among those are 

1) Designing more efficient factorization algorithms. 

2) Investigating the security of specific bits in the modular squaring function. 

3) Investigating factorization algorithms given partial information on the factors [14]. 

Most of these works have concentrated on composite numbers JV which are the product of two 
primes pipa. 

In this paper we investigate the problem of bit security for the modular squaring function 
with respect to multi-prime composites N — p\p2---pi- The salient property of our work is 
that we investigate the bit security given partial factorization p 3 ,...,p[ of JV (i.e. all but two 

^ Supported in part by an IBM Gradual* Fellowship and a Bantrell Postdoctoral Fellowship. 

* Supported in part by a Weiimann Postdoctoral Fellowship. On leave from the Computer Sc. Dept., Technion 

* Supported in part by an IBM Faculty Development Award (1984) and NSF Grant DClt-8509905. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 448-457, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



449 



factors are known). We show that Me partial factorization does not help. More specifically, 
any non-negligible advantage in guessing the least significant bit in the x l (mod N) function is 
equivalent to factoring the remaining pair PiPi (and thus totally factor N). In other words, if it 
is infcasiblc to factor two prime composites, then it is infensiblc to guess the least significant bit 
in the squaring modulo N function even iT one has almost all of N's factors. 

Our work extends the results of Alexi, Chor, Goldreich and Schnorr [l], who considered the bit 
security of RSA and Rabin functions. These two functions are defined with respect to two-prime 
moduli jV = p ■ q. The RSA function is defined as raising to a power e and reducing modulo 
N (where e and (p — !)(? — 1) are relatively prime). Rabin's function is squaring modulo N. 
The RSA is 1-to-l, while Rabin's function is 4-to-l. This difference is crucial in trying to extend 
the [1| results to multi-prime moduli. Extending the RSA result to multi-prime moduli is easy, 
since the extended function is still 1-to-l. In the case or Rabin's function, squaring modulo an 
/-prime moduli is a 2'-to-l function, and dealing with it is more complicated. In this paper, we 
demonstrate how these complications can be resolved. 

Our results have applications in the design of multi-party cryptographic protocols. In par- 
ticular, it is useful in contexts where partial factorization, but not complete factorization, is 
released to a subset of the participants, while certain information must still be kept secret. Com- 
bining our result with techniques of probabilistic encryption [10,5], arbitrary information can be 
encoded so that it still remain totally secure, in such circumstances. 

The remaining of this paper is organized as follows. In section 2 we introduce notations and 
terminology. In section 3 we review previous related results. In section 4 the main result is 
proved. In section 5 we mention two applications to the design of multi-party cryptographic 
protocols. We conclude by proposing an open problem. 

2. Terminology 

We begin this section by presenting some number theoretic terminology which will be used 
throughout the paper. We proceed by defining a specific class of composite integers which will 
constitute the domain of our investigation. We conclude this section by formally defining the 
notion of a "factoring bit". 

2.1 Preliminaries 

Definition 1: Let N be a natural number. Z N will denote the ring of integers modulo N, where 
addition and multiplication are done modulo jV. The length of N will be denoted by n. 

Definition 2: Let N be a natural number, and x an integer. [x]pj will denote the remainder of 
x modulo AT (notice that for all x, 0 < [x\n < N). Ln(^) will denote the least significant bit of 



450 



[x]n in the ordinary binary expansion. 

Definition 3: Let N be an integer. Then a is said to be a quadratic residue modulo N iT there 
exist an integer i such ttiat i" = a (mod N). Otherwise, a is said to be a it, quadratic non-residue 
modulo N. Let us denote by Qn the set of quadratic residues modulo N . 

Let N = PiP2---Pi be a produet oT I distinct odd primes. Note that a is a quadratic residue 
modulo N if and only if a is a quadratic residue modulo each of the p^'s. 

Definition 4: Let p be an odd prime number, and h an integer relatively prime to p. The 
Legendre symbol ^~ j is defined to be J if 4 is a quadratic residue modulo p, and -1 otherwise. 
For N = PiPr - -pi, a product of / distinct odd primes, and h relatively prime to N, the Jacobi 
symbol (£) is defined to be n,-=i (£")• 

liven though the definition of the Jacobi symbol uses the factorization of TV, it is well known 
that, (jSy) be easily computed even if A''s factorization is not given. Another fact which is used in 
this paper is the rnultiplicativity of the Jacobi symbol, namely (^jr") == (77) ' (h) " ^ or *" urt h er 
details on these properties and their proofs, sec [12, ch. 3J. 

2.2 Blum Integers 

When all the prime factors of TV = P1P2. . .pi are congruent to 3 (mod 4), the set of quadratic 
residues modulo N has an interesting property. Each quadratic residue has exactly one square 
root which is a quadratic residue itself. In other words, squaring modulo N is a permutation 
over Qn- Blum was the first to point out the cryptographic significance of this fact [3]. Let 
BI = { N\N == pi ■ p2- • -pi, p; = 3 (mod 4), 1 < i < I }, and call N £ BI Blum Integers. 

Definition 5: Let N = piP2- • 'Pi be in BI, and q be a quadratic residue modulo N. We denote 
by khe square root of q which is a quadratic residue itself, namely {->/qf — ? and ^/q £ Qn- 
We restrict our attention to N £ BI, since for each quadratic residue q £ Qn, ^/q and the 
least significant bit of ^/q are well defined. 

2.3 Bit Security for Factoring 

Following [6] and (11], we formally define the notion of bit security for factoring. For the 
definition, recall that n denotes the length of N . 

Definition G: Let On be a probabilistic oracle which, given a quadratic residue q (modulo A''), 
outputs a guess, 0n{<}), for L,N{\fq) (this guess might depend on the internal coin tosses of On)- 
Let e( • ) be a function from integers into the interval [0, 5]. We say that On " ls a e(n)-oracle if 
the probability that the oracle is correct, on an input q randomly selected from the set Qn, is 
at least j •+- t(n). 

The probability space in the definition is that of all q £ Qn and all 0 — 1 sequences of internal 



451 



coin tosses, with uniform distribution. Notice that there is no requirements from the Oracle if it 
is fed as input a number in /fj which is not a quadratic residue. 

Definition 7: Wc say that the least-significant bit of ■>/• is ((n)-secure if there is a probabilistic 
polynomial time algorithm that on input N,q € Qn and access to an arbitrary ((n)-oraclc for 
the least significant bit, On, computes s fq. 

Remarks: As is customary, wc say that an algorithm is polynomial time if its running time is 
polynomial in its input length. In particular, the run time will be polynomial in n, the length (in 
binary) of the modulus JV. In the hist definition, the specific polynomial might depend on «(■). 
The same applies to the next definition. 

Definition 8: Wc say that the least-significant bit oj \f- is c{n)-secure even if the factorisation of 
JV is partially known if there is a probabilistic polynomial time algorithm that on input N,q £ 
Qn, some (but not all) the prime factors of A' and access to an arbitrary ((rt)-oraclc for the least 
significant bit, 0/v, computes y/q. 

Wc will subsequently replace c(n) by l Tor notational convenience. However, t will still be a 
function of n. 

3. Previous Results 

In this section, we briefly review related previous results by Rabin [13], Blum, Blum and Shub 
[4], Alexi, Chor, Goldrcich and Schnorr [lj and Vazirani and Vazirani [IT] . 

3.1 The Equivalence of Factoring and Extracing Square Roots 

Theorem 1 (Rabin): The following problems are probabilistic polynomial time equivalent 

1) Factoring a composite integer JV product of two primes. 

2) Given JV and q €.Qn> finding a square root of q. 

This Theorem easily extends to- multi-prime integers. 

3.2 Reducing Square Root Extraction to a Strange Oracle 

Following a sequence of results in [11,2,16,9], Alexi, Chor, Goldreich and Schnorr [1] proved 
l/po/2/(n)-security results for the least significant bit of a variant of the squaring modulo JV = 
PjP2 function. Their proof can be broken into two parts. First, a special type oracle, called 
(c,q)-oracle is defined (see below). It is shown that factoring is in polynomial-time given access to 
an (e, yj-oracle. Next, it was shown that an (f/2, <7)-oracle can be implemented using any c-oracle 
for the least significant bit of a particular square root. 

Definition 9: Let N £ DI and q € Qjv be a quadratic residue. An (e, (j)-oracle is an oracle that 



452 



on input a £ outputs • ^7) with probability at least | + f. (Here the probability is taken 

over all possible choices of .1 and the internal coin tosses of the oracle with uniform probability 
distribution.) 

The following Theorem is implicit in [1]. 

Theorem 2 (Alcxi, Chor, Goldrcich and Schnorr): There exists a probabilistic polynomial time 
algorithm that on input N = Pip? SE BI, q £ Qjv and access to an arbitrary (f, 9)-oracle, finds 

The proof of Theorem 2 is almost identical to the proof in [1] of equivalence between inverting 
the RSA and guessing its least significant bit. While Theorem 2 deals with two prime composites, 
it extends to multi-prime composites. Combining the extended Theorems 1 and 2, we get 
Corollary 1: There exists a probabilistic polynomial time algorithm that on input N = 
p\Pi---pi, q £ Qn and access to an (< , y)-oracle, completely factors M. 

It is left to be shown that on input N £ Iil,q € Qn and access to an f-oracle for Lfj{\/?), an 
(t/2, -)-oracle can be implemented. This will be discussed in the next subsection. 

3.3 Reducing the Strange Oracle to LSB Oracle when TV = P1P2 

In this subsection we deal with implementing an (e, <y)-orac!e, given access to an £-oracle for 
Ln[V^) • The main difficulty lies in the fact that an (c,(j)-oracle must perform well when « ranges 
over Zpj while the e-oracle is guaranteed to perform well only when its input ranges over Qn- 

The approach taken in resolving this difficulty is to map the queries to the (£, <j)-oracle into 
"queries" and "non-queries" to the e-oracle. "Queries" are answered by invoking the f-oracle, 
while "non-queries" are answered by flipping a coin. This requires the ability to distinguish 
"queries" from "non-queries". For N = P1P2, two alternative implementations of this abstract 
approach were suggested. 

The First Alternative 

In [1], a slightly different predicate was considered (and shown to be equivalent to factoring). 
Instead of i^(> / A) (the least significant bit of the square root which is a quadratic residue itself), 
they considered Bjv(-), the least significant bit of the square root which has Jacobi Symbol 1 and 
is smaller than N/2. In the setting of [l] it is easy to test whether [s ■ \/q]N < A r /2 and whether 
the Jacobi Symbol (^) equals 1. Such s's are mapped to "queries". 

In the case of two-prime moduli each quadratic residue has a unique square root which satisfies 
the two conditions. However, in case the modulus has / > 2 factors, each quatratic residue has 
2' -2 roots which satisfy the above two conditions. Thus, the solution of [l] to implementing the 
(c,?)-orac!e does not soem to extend to multi-prime moduli. 



453 



The Second Alternative 

A different method of implementing the (c, <j)-oracle was suggested by Vazirani and Vazirani 
[17]. They observed that by Blum, Blum and Shub [4], Die quadratic residuosity of a modulo a 
two-prime composite N can be determined by using an c-oraclc On Tor the least significant bit. 
ir s £ Q N then the <-oracle For LN(ny/q) else a coin is flipped. 

The advantage or this method is that the square root which is a quadratic residue itself is 
well defined also for multi-prime Blum integers. So there is hope of extending this method. 

Let us recall how quadratic residuosity can be tested using an e-oracle for 
Theorem 3 (Blum, Blum and Shub]: Let AT = p]p 2 £ BI. There exist a probabilistic polynomial 
time algorithm that, on input TV, a £ Zn and access to any ooracle for the least significant bit, 
On, determines whether s £ Qn- 

Proof's sketch: If (^) = —1 then answer "s £ Qn"- We are left with the case that (^) = 
1. Consider the following experiment. Randomly select r E Qn with uniform probability 
distribution (this is done by choosing an element in Zn, with uniform probability, and squaring 
it). Let 6 be the oracle's answer on query [(r • s) 2 ]^/. Clearly, 

8 6 Qn implies Pr{b — Is N [r ■ a)) > ^ + e . 

On the other hand, if s £ Qn then — r • a £ Q N . As is always the case, Ln( t • s) = 1 — Ln(—t ■ a) 
and thus 

8 i Qn implies Pr(b — Ln{ t • »)) 5: ^ ~ e • 
So the two cases * £ Qn and a j? Qn can be distinguished (with high probability) by sampling 
polynornially many r's. I 

A crucial point in the proof is that for two-prime moduli TV = pipz, q 6 Qn has only two 
square roots with Jacobi Symbol +1. One of them is y/q and the other is —y/q. This is not the 
case when TV has more then two prime factors. In fact, q has 2 i_1 square roots which have Jacobi 
symbol +1. In the next section we show "a way around" this last problem. 

4. The Main Result 

In this section we implement an (e, g)-oracle, given access an e-oracle to On, where /V is a 
multi-prime Blum integer. This, in turn, implies that an e-oracle for the least significant bit, On, 
enables the complete factorization of TV. 

Theorem 4: Let TV = A/P3PV • -pi, M — and TV £ Bl, where the p,'s are distinct odd 

primes. Then there is a probabilistic polynomial time algorithm that on input TV, q £ Qn, 
P3,p4,...,p; and access to an arbitrary e-oracle for the least significant bit, On, implements an 
(c/(2 i + l),9)-oracle. 



454 



Proof: Lot Q' N = {e : (^) = (^) = -I and (^) = 1 Tor every 3 < i < t). 
Given q £ Qn, and access to the (-oracle for tin: least significant, bit, 0^, wc implorncnt an 
■ c,«7)-oraclc as follows. On query a £ %n, we first compute the Jacobi Symbol (jy) find 

the Legendrc Symbols (^)> {^fl) (n)' "" c '^ ,cr °^ ^ c a ^ ovc equals —1 then a g Qn \_}Q' N , 

and wc return the outcome of an unbiased coin Hip. H remains to deal with a £ QnUQ'n- ^ e 
consider two cases: 

• Case I: The oracle On answers to Lj^(s^q) are considerably worse for » £ Q'n, compared to 
« £ Q'n- In this case wc first use On to test whether a £ Q N . Out answer to Ln[s^/q) is 
On(s 2 - q) if s £ Qn, and a flip of a coin if a £ Q' N . 

• Case II: The oracle On answers to Lr^i(a^/q) are not considerably worse for s £ Q' N , compared 
to a £ Q' N . In this case, wo answer to L N {s^/q) by 0w(x 2 -q). Intuitively, it does not matter 
here whether 8 £ Qn or a £ Q' N . 

To treat the above cases formally, we define the success probabilities of On on query [t 2 ]n where 
r £ Qt-i (correspondingly r £ Q' N ) is randomly chosen. (The probabilities are taken over Cw's 
internal coin tosses.) Let 

/ = Pr((3jv(r 2 ) = Ljv(r)) where r is randomly chosen in Qjy 

f — /- > r(0?v(r 2 ) = Luifi) - where r is randomly chosen in Q' N . 

By Ojv's definition, / > 5 + c, but no a-priori bounds on /' are known. 

With overwhelmingly high probability (say 1 — 2 _n ), both / and /' can be approximated 
with good accuracy (say e/8) by the following polynomial time Monte Carlo experiments: To 
approximate /, randomly select many independent r £ Qn with uniform probability distribution. 
(A random r £ Q N is selected by picking an element of Zn at random and squaring it modulo N.) 
Compare On' 3 answer on [r 2 ]/\r with the known Ln^}- To approximate /', randomly select many 
independent r £ Q' N with uniform probability distribution, and compare Ojv' s answer on [t 2 \n 
with the known iw(r). A random r £ Q' N is selected by picking r' £ Qm and r" £ Q P3 p t — PI , at 
random, setting r = — r' (mod M) and r = r" (mod P3P4 - • -pi), and computing r by the Chinese 
Reminder Theorem. 

Let us denote the above approximations by / and /' respectively (i.e. \f— f\ < e/8 and \f' — f'\ < 
t/8 with overwhelming high probability). We now consider two cases 

Case I: /' < /- e/2. 

In this case we will use On ^° ^ cs ^ whether s £ Qn- To do that, randomly select r £ Qn with 
uniform probability distribution. Let 6 be the oracle's answer on query [(r-s) 2 ]N- If a £ Qn then 



455 



Pr{b = L N [r - a)) = /, while if a £ Q' H then Pr(b = /, N (r • «)) = /'. Since \f - f'\ > tj\ (with 
overwhelming probability), the two cases can be distinguished by a Monte-Carlo experiment. 

If we have decided that s £ Q N then we query the oracle on s 2 q and return whatever it has 
answered (i.e. wc return 0jv(» J (/)). Otherwise, wc flip an unbiased coin and return its outcome. 

Case II: /' > / - e/2. 

In this case wc will not try to test whether a £ Qh or a £ Q' N , but rather query On on s 2 q 
and return 0^{s 2 q). Here /' > £ with overwhelming probability. 
Probability Analysis 

We now analyze the probability that the answer to Lfj(a^q) produced by the above procedure 
is correct. The probability space is that of all choices of s £ Z N and all internal coin tosses with 
uniform distribution. 

The event s g Q N \JQ' N occurs with probability 1 — 2 ■ 2 _l and is always detected. In this 
case the above procedure is correct with probability exactly one half. 

The event s € QnIJQn occurs with probability 2 _l+1 . In Case I, the answer is correct with 
probability + /) > 5 4- § (up to the overwhelmingly small error term of the approximations). 
In Case II, the answer is correct with probability |(/ + /') > | + § (with the same qualification). 
The overall probability that our procedure is correct is therefore bounded below by 

1 1 

— I . t — 2 n 

2 + 2< 

Thus, we have implemented an (e/(2 ( + 1 ), (jt)-oracle | 

The proof of Theorem 4 shows how to implement an (e/2 1 , q)-oracle given an e-oracle for the least 
significant bit Ln(-), where N has / prime factors. Thus, when I = O(logn) the advantage of 
the new oracle is polynomially (in n) related to the advantage of the original one. Combining 
Corollary 1 and Theorem 4, we get 

Corollary 2: Let N,M £ BI such that M divides N. Suppose that M has two prime factors 
and N has i = O(logn) distinct prime factors, where n is the length of N. Then the following 
two tasks (1) and (2) are computational equivalent, and both are polynomial-time reducible to 
(3). 

1) Factoring M. 

2) Given M, pz, P4,..., pi (a partial factorization of TV = Mpzp*- ■ -pi) and q £ Qw, guess 
L^i(-^/q} with success probability exceeding ^ + poi ^ n ) ■ 

3) Let 1 < k < I, N u N 2 ,...,N k such that N = NiN 2 ---N k and M divides N t . Given N u 
N2,..., Nk and q £ Qn< guess Ln{\/<}} with success probability exceeding \ + 



456 



5. Applications to Protocols Design 

Chor, Goldwasser, Micali, and Awcrbue.h [7J suggested to use a composite number N product 
or I — 2 £ + 1 primes in order to "verifiably share" a secret bit among many players, t of which 
can bo untrusty. They suggested two implementations of this scheme: One is based on the RSA, 
while the other is based on modular squaring. The security or the second implementation relics 
on the result or this paper. A brief description of the scheme follows. 

The secret is the least significant bit of ^fq, where q £ Qh is a quadratic residue modulo N. 
After establishing the secret, the dealer distributes "pieces" of it to every participant (one piece 
per participant). A random split of N corresponds to one piece of the secret bit. Since N has 
2' + l prime factors, it cannot be totally factored with only t pieces. By our result, it is infcasible 
for t participants to guess the secret L N {y/q) with any non-negligible advantage. On the other 
hand, with overwhelmingly high probability, 3< pieces yield the complete factorization of N and 
allow the recovery of the secret bit. 

6. An Open Problem 

A crucial condition for proof of Corollary 2, is that the number of prime factors is logarithmic 
in the length of the modulus. The reason being that the inverting algorithm needs answers for 
random elements in Zff, while the c-oracle for least significant bit answers only on?£ Qn- Thus, 
only a 2 _i fraction of the queries are answered, where / is the number or primes in N. Getting 
around this difficulty will require either a different inverting algorithm or a better analysis of 
what happens when the oracle is asked on q £ Zjy — Qn- 

References 

[1] Alexi, W., B. Chor, O. Goldreich, and CP. Schnorr, "RSA and Rabin Fuctions: Certain Bits 
are As Hard As The Whole", to appear in SLAM Jour, on Computing. Extended abstract 
in Proc. of 25th FOCS, 1984, pp. 449-457. 

[2] Ben-Or, M., B. Chor, and A. Shamir, "On the Cryptogrsphic Security of Single RSA Bits", 

15th ACM Symp. on Theory of Computation, April 1983, pp. 421-430. 
[3j Blum, M., "Coin Flipping by Telephone", IEEE Spring COMCON, 1982. 

[4] Blum, L., M. Blum, and M. Shub, "Comparison ofTwo Pseudo-Random Number Generators", 
Advances in Cryptology: Proceedings of Crypto82, Chaum, D., et al. eds., Plenum Press, 
1983, pp. 61-79. 

[5] Blum, M., and S. Goldwasser, "An Efficient Probabilistic PKCS as Secure as Factoring", 
Advances in Cryptography: Proceedings of Crypto 84, Springer Vcrlag, Lecture Notes in 



457 



Computer Science (196), 1985, pp. 289-299. 

[6] Mum, M., and S. Micali, "How to Generate Cryptographically Strong Sequences of Pseudo- 
Random Hits", SIAM Jour, on Computing, Vol. l.'S, No. 4, November 1981, pp. 850-864. 

[7] Chor, D., S. GoldwasHer, S. Micali, and H. Awerbuch, "Verifiable Secret Sharing and Achiev- 
ing Simultaneity in the Presence or Faults", Proc. of 26th FOCS, 1985, pp. 383-395. 

[8] Diflic, W., and M.E. Ilcllman, "New Directions in Cryptography", IEEE Trans, on Inform. 
Theory, Vol. IT-22, No. 6, November 1976, pp. 644-654. 

[9] Goldrcich, O., "On the Number of Closc-and-Equal Pairs of Bits in a String (with Implica- 
tions on the Security of USA's L.s.b.)", M1T/LCS/TM-250, March 1984. 

[10] Goldwasser, S., and S. Micali, "Probabilistic Encryption", Jour, of Computer and System 
Science, Vol. 28, No. 2, 1984, pp. 270-299. 

[11] Goldwasser, S., S. Micali, and P. Tong, "Why and How to Establish a Private Code on 
a Public Network", Proc. of the ZSrd IEEE Symp. on Foundation of Computer Science, 
November 1982, pp. 134-144. 

12] Niven, I., and U.S. Zuckcrman, An Introduction to the Theory of Numbers, John Wiley & 
Sons Inc., (1980). 

13] Rabin, M.O., "Digital Signatures and Public Key Functions as Intractable as Factorization", 
MIT/LCS/TR-212, 1979. 

14] Rivest, R.L., and A. Shamir, "An Efficient Factoring Algorithm Based on Partial Informa- 
tion", presented in Eurocrypt85, Linz, Austria, April 1985. 

15] Rivest, R.L., A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signature and 
Public Key Cryptosy stems", Comm. of the ACM , Vol.21, February 1978, pp. 120-126. 

16] Vazirani, U.V., and V.V. Va2irani, "RSA Bits are .732 + <r Secure", Advances in Cryptology: 
Proceedings of CryptoSS, Chaum,D. ed, Plenum Press, 1984, pp. 369-375. 

17] Vazirani, U.V., and V.V. Vazirani, "Efficient and Secure Pseudo-Random Number Genera- 
tion", Proc. ofSSthFOCS, 1984, pp. 458-463. 

18] Williams, H.C., "A Modification of the RSA Public-Key Encryption Procedure", IEEE Trans. 
Info. Th., IT-26 (1980), pp. 726-729. 



SOME CRYPTOGRAPHIC ASPECT'S OF WOMCODES 



Philippe Godlewski and Gerard D. Cohen 
ENST, Departeroent SYC, 46 rue Barrault, 75013 PARIS, France. 

Abs tract 

We consider the following crytographic and coding questions in 
relation with the u3e of "write-once" memories (or woms) 
-How to prevent anyone from reusing the worn ( i mm i table codes). 
-How to fix the written information in the worn after a given number of 
generations ( locking codes). 

-How to encode a "credit" in a way that guarantees the user t generations 
or "purchases" in any possible way and makes it impossible to cheat : i.e. 
writing on the worn necessarily increases the spent amount of money. The 
coding will be called " incremental locked" . 

These questions were only raised in [5], where the accent was put on 
the generation of womcodes possessing an "easy reading-reserved writing" 
property. 

1. Definitions and notations 

Let us suppose we have a storage medium, called woa ([1]), consisting 
of n binary positions or wits, initially containing a "0". At some step, a 
wit can be irreversibly overwritten with a "1" (e.g. by some laser beam in 
digital optical disks, or burning microscopic fuses in PROMS). 

For two binary n-tuples x and y, we say that x covers y, and write 

y<x if supp( y )Csupp< x ) , where for a binary n-tuple z=(z ,z z ), 

1 2 n 

supp(z) «= (i ; z - 1} is the support of z. Then l z l= l supp( z ) l is the 

i - 
Hamming weight of z. The binary complement of z is denoted by z. 

The first problem we address is the following : how to construct 
codes with maximal rate (or cardinality) and forwarding impossible 
updating? 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 458-467, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



459 



2 ■ Immutable codas 

n 

Let F be the binary field. A. subset C of F is called imautable (see 
[6]) if, for any a and b in C, a<b never holds. Clearly, if such a code is 
used to write on a worn, no updating is possible ( updating a into b would 
imply a<b). The characterization of maximal immutable codes is a well 
known combinatorial problem, solved by Sperner C2]. 

Propo s itio n. The set S of all the n-tuples of weight Ln/2J is a maximal 

immutable code (called Sperner code). The solution is unique for odd n. 

_ _ _ n 

For even n, there is another solution S, where S={ seFz ; seS). 

The rate of these codes, R=(l/n).log( IS I ), is approximately 

R ~ 1 - (l/2n) log(n). 

These Sperner codes are however not very easy to encode ( see e.g. [7]). 
One way to overcome this is to impose Linearity. This will be very 
suboptimal, as we now show. Let us say that a linear [n,k] code C is 
intersecting if any two non-zero codewords have intersecting supports, then 
one has : 

P roposition . A linear code C is intersecting iff C\{0} is immutable. 

Proof. C\{0} is not immutable iff there exist two distinct nonzero 
elements in C, say a and b, with a < b. Then a + b is in C and has 
disjoint support with a, hence C is not intersecting. a 

Intersecting codes are studied in, e.g. [3], and have low rate, namely : 

P roposition . For n large enough, intersecting tn,k] codes have rate 
H < 0.283 n. 

We now propose a slightly suboptimal solution, first introduced in [7], 

with a very simple encoding scheme. Let us denote by 2( i ) the writing of 

the integer i in base 2, and by I2(i)l the weight of such a writing. 

k 

Define the coding of i < 2 by 



i > c(i) - ( 2(i), 2(l2(i)i) ) (1) 



460 



Where the two parts of c( i > are written using k and riog(k)1 bits 
respectively. For example, if k=7, i=98, then 2(i) = 1100010, I2(i)l=3, 
2(l2(i)l) «- Oil and c(98) = (1100010 100). 

In fact, this encoding is systematic, i.e. the information written on the 
worn is contained in k fixed positions, say the first ones. Clearly, one 
has : 

P roposition . The encoding scheme described in ( 1 ) gives immutable codes 
with rate R = 1 - ( 1/n ) log(n). 

P roposition . The encoding scheme of (1) is optimal, i.e. yields the 
largest possible rate for a systematic immutable code. 

Proof. Let C be systematic with k information bits. Consider the chain 

(for inclusion) o£ k-tuples (000...0), (100...0), (110...0), 

(111...1). For C to be immutable, these k+1 vectors must be appended 

n-k 

different suffixes of size n-k. Hence 2 >k+l. a 
We thank D. Coopersiaith for suggesting this proof. 

3 . Locking code s 

The problem of locking, i.e. of fixing the written information in 
the worn after a given number of generations, is closely related to the 
previous one. The only difference is that one now has the possibility of 
choosing when the written information should become immutable, which is a 
slightly stronger assumption. Among the techniques described in paragraph 
2, the coding scheme (1) allows locking ; to that end, take a worn of 
k+flogkl wit, 

- use m wits for the updatings, 

- to lock the worn when v is written, write 2{ Ivl ) on the remaining wits. 

4. Incremental locked codes 

The following problem is introduced in [4] : write successively t 

messages v ,v , . . . ,v on a worn, such that 
12 t 

0<v <v < . . . <v < v-1 . (2) 

12 t 

Such a code is called incremental (IW). 



461 



We connider the problem where any writing on the worn can only 
increase the value of the written message. Such a code will be called a 
incremental locked womcode (ILW) and can be used to eliminate cheating 
possibilities on credit cards. This assumption is stronger than the 
previous one : now ( 2 ) is a necessary and sufficient condition on a set of 
t messages for its writing to be possible, whereas it was only sufficient 
in the case of iw. 

We shall study in the following an easy way to construct a ILW : the 

knapsack (or coins) schene. Each wit represents a coin with value a . 

i 

Thus the spent amount of money corresponds to the sum of "marked" coins 
v = £ a , 

where I is the set of written wits. We call incremental K voncodes (IKW) 
the corresponding codes. Clearly we have 

ik il i 
w > w i w 

ik il i 

where w , w , w are the minimal lengths of a IKW, ILW, IW, respectively. 

We consider the directed graph (treillis) representing all the 

possible transitions in the WDM. A vertex is identified with a binary 

n-tuple, and there is an edge from x to y iff y>x and ly-xl=l. To every y 

is associated a message cc(y) e Z u{u) by means of the interpreting function 

v 

a : a(u) means that the state y is not used ( achievable as a coding state ) 
in the coding process. The incremental code is locked iff for achievable x 
and y 

y>x => a(y) * a(x). 

For every set 

V=( v , v , . . . ,v ), with v <v * . . . v s;v- 1 
1 2 t 12 t 

of t messages to be written, we consider the "history" of writings 

(1) (2) (t) (i) n (1) (2) (t) 

Y— (y ,y , . . . , y ) where y ef , y <y < . . . <y 

and a( y . 



462 



Let H be the set of all possible Y. The number of possible V must be 
le38 than the number of possible Y . Thus we obtain : 



t 

P roposition . The parameters of a <v> /n rw must satisfy 



v+t n 
C ) < (t+1) . 
t 



n 

We now define for y«s P : 



(i) (1) (i) 
9(x) * inf( i I x=y for some Y=( y y ,...), Ye H) . 



Propositio n. If y is a state in the WOM such that ©(y)=j, then 

A ~ t- j 

n-lyl > w (<v— a(y)> ) + j, 

where A stands for i, il, ik in the case of a £W, CL, EKW respectively. 



Indeed, at state j, there are at least t-j generations to write on n-lyl 
wits . 

Using this Proposition we can begin to fill up a table of the w for small 
v and t. We start from the first line w( <v> >- )=flogz( v )1 . The noticeable 
points are 

ik 3 il 3 il 2 12 

w ( <9> )-« > 5=w ( <9> > and w ( <9> )=5 > 4=w ( <9> ). 



10 



11 



12 



4 

4, 5,5 

5,5,6 
6 

7 



4 4 

5 5 

6 6,6,7 



i t il t ik t 
Table : values of w ( <v> ), w ( <v> ), w ( <v> ) for small v and t. 



463 



5. Construction of incremental K womcodes XIKW ) 

As we said before an incremental K worocode is based on a set of coins 

P={ . . . ,i, . . . , j, . . . } , where 1 is a coin with value i and lPi=n. The set P 

is hereafter re f e red to as a purse. The coding algorithm obeys the 

following rule : "use first the heaviest remaining coin compatible with 

t 

the purchase". We shall say that a <(s+l)> /n IKW realizes (s,t). Let us 
introduce some notations : 



n ( P ) is the number of coins in P with value j ; 

j 

i 

E(P) = £ jn , E(P) = £ (P) ; 
i 3 = 1 j oj 

P/i is the set of coins in P with value at most i ; 

i 

then I P/i I = £ n (P) and C (P) = C(P/i) ; 

Q [k] or Q i a purse with only k coins of value i (then k=IQ l=n (Q )) ; 
i i i i i 

D = (d , d , ... , d ) a t-tuple of purchases ; E(D) = £ d . 
1 2 t j j 

In the following, P denotes a purse realizing (s,t), and m=Ls/tJ+l. 



Pro position Kl . For every integers ;iftn, r, 
(r) 

P " P u Q [r] realizes (s+rji.t). 



(k) 

Proof . By induction on r. Suppose it is true up to k i.e. P =PuQ CkJ 

M 

(k+1) 

realizes (s+kfi,t). let D be a t-tuple to be spent using P , let jo be 

the first j such that d >\l ( if no such jo exists E( D)<{ j±-l )t<s and we are 

j 

done ) . Set 

D' »(d' ) = (d ,d , d -ji, d ). 

j 12 jo t 

(k+1) 

From our "heavy coin first" algorithm, realizing D with P amounts to 

(k> 

realizing D' with P , hence is possible since E(D)< s+k/x. n 



464 



P roposition K2 . The purse P defined recursively by 

i 

p = e ctj, 

1 i 

P =■ P u Q [n ] where n is the smallest integer such that E( P )*2t, 

2 1 2 2 2 2 

P = P u Q [n ] where n is the smallest integer s.t. E(P )>i.t, 
i i-1 i i i i 

realizes every t-tuple of purchases D=(d , d , ... , d ) with E(D)<E(P ). 

1 2 t i 



Proof. By induction. For any fixed j , 0<j<i-l, step P --> P is 

j 3+1 

achieved by applying Proposition Kl with n=j+l, r=n , s=it and therefore 
m=j-f-l. d 

Remark . The construction in Proposition K2 also works without assuming the 
n zninimal. By stopping at some level k, we obtain purses P for which the 
following also holds 

E( P/j )*jt, V 3 s.t. Kj<k 
or equivalently 

C(P/j)>jt, V j s.t. 3t<E(P) (*) 

But (*) is at the same time a necessary condition for a purse P to realize 

( E (P),t) because every t-tuple D with Z(D)*£ (P) and Max d < 3 must be 

k k i i 

realized with P/j . This shows : 



For given s and t, a necessary and sufficient condition for a 
purse P with £(P/m)S>s, m=|.B/tJ+l, to realize (s,t) is that the m-1 
following t-tuples of purchases be realizable : 
(3.3. • • -3 ) for Kj<m. 



Qptimality of the proposed construction 

Now we want to prove that the purse defined by Proposition K2 is optimal 
in the class of IKW. For fixed t, a purse P is said saturated if P 
realizes (E(P),t). We first show that we can restrict ourselves to 
saturated purses. As before, p denotes a purse realizing (s,t), with 
m-ls/tj+l . 



465 



P roposition . For any P realizing (s,t), there exists a saturated P° such 
that E(Po)=a and IPOKIPI. 



P roof . We first show that P/m reaiizes (s,t) : Consider D=(d ), E(D)-s 

i 

and d «(m-l,m}. Such a set of purchases uses coins with value at most m, 
i 

hence C(P/m)>s. Then apply Corollary, which shows that P/j realizes 
(E(P/j),t) if Kj<m. 
Define m' by 

E(P/(m'-l)) < s < E(P/m'). 

It is clear that m'<m. The purse P'=> Q [k] u (P/(m'-l)) realizes (£(P'),t) 
by proposition Kl. Choose k s.t. E( P ' )<;s<i:(P ' )+m' . If the left-hand side 
inequality is achieved then po=p- i s a desired purse. If not, consider 
po=p'u{j), j=s-E(P*), then P° realizes (s,t), again by proposition Kl, and 
£(P°)=s. After straightforward counting, we get 
lpoi = ip/m'l - L( E( P/m " )-s )/m ' J < IP/WI < IPI 

We have transformed P into a saturated P° with fewer coins . a 



Let now f(s,t) be the minimum number of coins for a purse realizing (s,t) : 

ik t 
f(a,t) = w (<(s+l)> ). Then we have : 



Proposition . The purse P defined by Proposition K2 is optimal. That is, 

f(E(P ),t)-IP I. 
i i 

Proof . By induction on i. Suppose it is true up to i-1. We first recall 

that P is obtained from P by possibly adding coins with value i. Then 

i i-1 
setting s =£(P ), s= b and b'**b , we have s'-s=ki for some integer k. 

3 5 i-l i 

Let P be an optimal saturated purse realizing (s',t) ; therefore P-=P/i (see 

previous proof). From p we can construct, as before, a saturated P° 

realizing (s,t) by suppressing heaviest coins (with value at most i) and 

possibly adding a "cheapened" extra one. 

ipoi < ipi - L(s'-s)/iJ . 

Now if I P I =f ( s ' , t ) < I P I, then f(s,t)<IP I and we get a contradiction. a 
i i-1 



6. Asymptotical result s 



For womcodes, the asymptotical behavior is studied in [1]. Focusing 
on the case when t is fixed and v goes to infinity, one has 



466 

t 

w( <v> ) = f(t) logz(v), 

with f(2) ~ 1.Z9 and f ( t ) = t/logz(t) for t large. 

t 

Clearly, an incremental womcode realizing (v4i,t) is also a <(v+l)/t> 
womcode. Hence, for fixed t 

it t t 

w (<w> ) > w(<(v+l)/t> ) « f(t) logz((v+l)/t) * w( <v> ). 

i 

That is,w * w (cf. C4]). 

From the previous section, we know that recursive purses yield incremental 
K womcodes with 



(i+l)t > c(Pj_) > it 



and maximum coin of value (i+L). 



For fixed t and i going to infinity, the average increase of E(P >, 

i 

E(E(P ) - £(P )) is equal to t, or 
i+1 i 

E( IP I - IP I ) - 1 . 

i+ Li/tj i 

In others words, the purse P realizing <s «it,t) has j coins, with 

i i 

i 

3 = £ t/k a t ln( i ) ~ t ln( s /t > . 
k=0L i 

Finally, since these codes are optimal 

ik 

w = t (ln(v) + 0(1)). 

il 

The asymptotical behavior of w is still unknown. It would be interesting 
to estimate 

il ik 
R = lira sup w / w 

for fixed t and v going to infinity, and to prove that 
R < 1 . 



Let us summarize what we know about w. 



467 



t large t=2 t=3 



no coding 


wo 


= t 


log 2 


V 


2 


logz v 


3 


logz v 


incremental K womcodes 


ik 

w 


= t 


log 

e 


V 


1 


38 logz v 


2 


07 log2 v 


rfomcodes w 


i 

= w 


= t 


log 

t 


V 


1 


29 logz v 


1 


55 log2V 


( incremental or not ) 

















We thank our graduate students Beveraggi, Assaraf and Luguern for their 
helpful comments. 

References , 

[1] R.L. Rivest and A. ST\aroir, "How to Reuse a "Write-Once" Memory", 
Inform. and Control 55, 1-19(1982). 

[2] E. Sperner, "Ein Satz uber Untermengen einer endlichen Menge." ( 1928), 
Hath. Z. 27. 544-548. 

[3] G. D. Cohen et A. Lempel, "Linear Intersecting Codes", To appear in 
Discrete Mathematics (1985) vol.56(l), pp. 35-43. 

[4] A. Fiat et A. Shamir, "Generalized Write-Once Memories", IEEE Trans, 
on Inform. Theory, Vol. rr-30, No3, pp. 470-480, may 1984. 
[5] G. D. Cohen et P. Godlewski, "Authorized writing for "write-once" 
memories", Eurocrypt • 85, April 9-11, 1985. To appear in "Springer Lecture 
Notes in Computer Science" . 

[6] E.L. Leis, "Data Integrity in Digital Opical Disks", IEKE Trans. on 
Computers, vol.C-33, pp. 818-827, September 1984. 

[7] T.M. Cover, "Enuraerative Source encoding", IEEE Trans. on Inform. 
Theory, vol. IT-19, pp. 73-77, January 1973. 

[8] J.M. Berger, "A note on Error Detection codes for Asymmetric Channel", 
Information and Control 4, pp. €8-73, 1961. 



How to Reduce your Enemy's Information (extended abstract)t 



Charles H. Bennett 

IBM T. I. Watson Research Laboratory 
Yorktown Heights 
NY 10598 

Gilles Brassard 

Dept. IRO, University de Montreal 3 
CP. 6128, Succ. "A", Montreal 
Quebec, H3C 3J7 

Jean-Marc Robert 4 

Geme Electrique, Ecole Polytechnique 
CP. 6128, Succ. "A", Montreal 
Quebec, H3C 3A7 



1. INTRODUCTION 



In this paper, we investigate how a channel with perfect authenticity but no privacy can be used 
to repair the defects of a channel with imperfect privacy but no authenticity. More precisely, let us 
assume that Alice and Bob wish to agree on a secret random bit string. In order to achieve this goal, 
they have at their disposal an imperfect private channel and an authenticated public channel. The 
private channel is imperfect in various ways: transmission errors can occur, and partial information 
can leak to Eve, the eavesdropper, who also can modify the transmissions arbitrarily, as explained 
below. The only thing Eve cannot do is leam the entire contents of the original message sent by 
Alice. An interesting example of imperfect private "channel", used to exchange (not so random) 
strings, is Diffie and HeUman's public key distribution scheme [DH], which leaks partial information, 
even if the discrete logarithm is indeed hard to compute, because it is always feasible for an eaves- 
dropper to detennine whether the resulting secret is a quadratic residue or not. The quantum channel 
[BB1.BB2] is also susceptible to a limited amount of information leakage. 

We allow Eve to toggle bits of her choice on the private channel transmissions, or jumble them 
around, even if she cannot actually read them. This could occur, for instance, if privacy were 
attempted by enciphering the individual bits with a one-time pad or with a probabilistic encryption 
scheme [GM] (to toggle an encoded bit, it suffices to multiply its code by the public quadratic non- 
residue), or alternatively, if a quantum channel were used (by passing selected photons through an 
appropriate sugar solution). Eve can also suppress the transmission of selected bits and replace them 
by bits of her choice. 



t A full paper was submitted for publication in SIAM J. Comp. as Privacy Amplification Through Public Discussion. 
1. Present address: Boston University, 111 Cummington Street, Boston, MA 02215. 
Z. Partially supported by NSERC grant A4107 and by NSF grant MCS-8204506. 

3. Part of this research was conducted while this author was visiting the University of California, Berkeley. 

4. Partially supported by NSERC grant A4107. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 468-476, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



469 



On the other hand, the public channel transmits information accurately (possibly because it is 
supplemented by a classical error-correcting code [MS]), and these transmissions cannot be modified 
or suppressed by Eve, but their entire contents becomes known to her. The authentication capability 
can either be enforced by physical properties of the channel or through the use of a universal hashing 
based authentication scheme [WQ. In the latter case, a small number of random secret bits must be 
shared initially between Alice and Bob, and some of them can be used only once, so that the net 
effect of the protocol can be viewed as key expansion rather than key' distribution. Computationally 
secure authentication [Br,GGM] can also be used if protection against unlimited computing power is 
not sought. We shall assume throughout that Alice and Bob did not share initially any secret infor- 
mation, except perhaps for this public channel authentication feature. 

It is instructive to compare our setting with the problem solved by the wire-tap channel of 
Wyner [W], which achieves similar results in a more classically information-theoretic setting. In 
Wyner's setting, Alice encodes information by a channel code of her choice. The output of her 
encoder is fed into two classic (discrete, memoryless) communications channels: the main channel, 
leading to the intended receiver Bob, and the wire-tap channel, of lesser capacity than the main chan- 
nel, leading to the eavesdropper. All participants know the channel code and the statistical properties 
of both channels. Under these conditions, Wyner showed that by appropriate choice of the channel 
code, Alice can exploit the difference in capacity between the two channels to communicate reliably 
with Bob while maintaining almost perfect secrecy from the eavesdropper. In our setting, the users 
have an additional resource: the authenticated public channel. This allows them to cope with a more 
powerful eavesdropper. Our eavesdropper is more powerful in two ways, either of which would be 
fatal in Wyner's setting: she can tamper with Alice's communications as well as listen to them, and 
she eavesdrops by evaluating an iV-bit to AT-bit function of her choice, unknown to Alice and Bob, as 
we shall see in Section 4.2. 

In this paper, we assume that some random bit string has already been transmitted from Alice to 
Bob over the private channel. We investigate authenticated public channel protocols that, with high 
probability, detect tampering and transmission errors. Subsequent protocols transform both strings in 
such a way as to eliminate most, and in some cases all, of Eve's information on the resulting string, 
except for its length. These public channel protocols remain secure against unlimited computing 
power. Although excessive tampering on the private channel can result in suppressing communica- 
tions between Alice and Bob, it cannot fool them into thinking that they share a secret random string 
when in fact their strings are different or otherwise compromised. 

This extended abstract contains no proofs and only a selection of the results found in the com- 
plete paper [BBR], For easier reference, we retain here the full paper's numbering for sections, 
theorems, etc.. In Section 2, we explain why classical error-correcting codes are inappropriate in this 
context. In Section 3, we investigate how transmission errors and tampering can be detected with 
high probability, and sometimes corrected, at the cost of leaking some information to Eve. In Section 
4, we investigate how Alice and Bob can subsequently reduce arbitrarily Eve's information at the 
cost of reducing slightly the length of their shared random string, assuming they have an a priori 
upper bound on the amount of information collected by Eve on the private channel. In Section 5, we 
investigate the possibility of depriving Eve entirely from any information on the final shared random 
string, at the cost of reducing its length more substantially. 

Before we get started, let us give the following definition and some notation: if i < j, a function 
/ : {O.iy — » {0,1}' is equitable if #{x j f(x) = a} = 2 H for every binary string a of length /. If x and 



470 



y are equal length bit strings, x © y denotes their bit-by-bit exclusive-or. Finally, if x is a length N 
bit string and if 0 < K < N, x mod 2 K denotes the length K bit string consisting of the rightmost K 
bits of a;, and x div 2 K denotes the length N-K bit string obtained from x by deleting its rightmost K 
bits. "We shall herein assume that the reader is familiar with the classical notions of error-correcting 
codes [MS], information theory [G], universal hashing [CW,WC], and the theory of finite fields [Be]. 

2. THE INADEQUACY OF CLASSICAL ERROR-CORRECTING CODES 

Let us recall that the imperfect private channel considered here is susceptible, not only to ran- 
dom transmission errors, but also to any amount of controlled tampering. The classical theory of 
error-correcting codes [MS], on the other hand, is based on the assumptions that few errors are more 
likely to occur than many, and that errors are not maliciously set by an opponent. It is therefore not 
quite adequate for our purpose. 

For instance, let x and y be Alice and Bob's strings, respectively, and let N be their length. 
Eve's ability to toggle bits of her choice enables her to actually select x © y, barring actual 
transmission errors. This is clearly intolerable if error detection is attempted through a linear error- 
correcting' code [MS]. Indeed, let x be the private channel transmitted codeword corresponding to 
Alice's chosen random string. Let z be any codeword chosen by Eve. If she perturbs the private 
channel transmission so that Bob receives y = x ® z, it will not be possible for him to detect 
tampering. Notice that Eve can achieve this without gaining any knowledge on the contents of the 
original transmission x. 

Should Alice randomly shuffle the codeword bits, in an attempt to preclude this threat, and pub- 
licly tell Bob how to unscramble them only after the private channel transmission is completed, it 
would no longer be possible for Eve to toggle selected bits and be certain to escape detection. How- 
ever, if a Hamming code of dimension [NJC\ is used, for instance, Eve can toggle 3 random bits and 
escape detection with probability l/(JV-2). Using such a protocol, Alice and Bob could only achieve 
a high probability of not being fooled, say 1 - 2~" S0 , at the cost of exchanging unreasonably long 
strings. In Section 3.1, we describe error detection schemes such that the probability of undetected 
tampering and transmission errors is independent of the number and position of altered bits. More- 
over, this probability can be exponentially small in the length of the strings transmitted. 

3. DETECTION AND CORRECTION OF TRANSMISSION ERRORS AND TAMPERING 

Let x be some random bit string selected by Alice. Assume she transmits it directly through the 
imperfect private channel, and let v be the string thus received by Bob. Let N be the length of both 
strings. We investigate public channel protocols that allow Alice and Bob to detect whenever x^y 
with an arbitrarily small error probability, independendy of how y differs for x. The fact that these 
protocols leak information to Eve about x is considered in Section 4. 

3.1. Error detection 

A very simple but impractical way of testing whether x = y is for Alice to choose a random 
function /: {0,1 } N — > {0,1}*, where K is a security parameter. After the private channel transmission 
is completed, she sends f(x) to Bob over the public channel, together with a complete description of 
the function /. Should Bob find out that fly) = fix), this would be considered as strong evidence that 
> = x, the error probability being 2~ K . On the other hand, should fly) be different from f(x), Bob 



471 



could report to Alice with certainty that he did not receive the correct string. The amount of infor- 
mation on x leaking to Eve from this protocol depends only on the security parameter K, and not on 
the length N of the strings (except of course for the fact that K < N). This would not be the case if a 
classical error-detecting code had been used. Unfortunately, this scheme cannot be used in practice 
because there are too many such functions, so that K2 N bits are typically needed to merely transmit a 
description of the randomly chosen function. 

Universal hashing [CW] provides an efficient way to achieve the same goal. After the private 
channel transmission is completed, Alice randomly chooses a function /: {0,1}^ -> {0,1}^ among 
some standard universal 2 class of functions. She then sends both fix) and a description of /to Bob. 
Thanks to universal hashing, the description of/ can be transmitted efficiently. After computing /(y), 
Bob checks whether it agrees with fix). If it does, a basic property of universal hashing allows them 
to assume that x = y, their probability of error being bounded by 2~ K . 

3.2. Reconciliation of the strings 

Whether/: {0,1 } N — » {0,1}*" is chosen as a completely random function or within some univer- 
sal 2 class of functions, what should Alice and Bob do whenever fix) differs from /(y)? If the private 
channel is reliable enough that only one or perhaps two errors are to be expected at most, it may be 
worthwhile for Bob to try computing fiz) on all strings z differing from y by only one bit or two, in 
the hope of finding a match with fix) and thus a likely candidate z for jr. 

If many transmission errors are to be expected, this would be much too time consuming. In the 
full paper, we offer two different solutions to this problem, one based on the post-facw application of 
a convolutions! code and one based on a blockwise exclusive-or strategy. The effect of the convolu- 
tion^ code protocol is to allow Bob to transform y into x with high probability, at the cost of disclos- 
ing to Eve some information about x. Protocols from Section 4 can subsequently be applied to 
reduce that information. On the other hand, the effect of the exclusive-or strategy is to transform both 
x and y into a probably common shorter string z on which Eve has no more information than she ini- 
tially had on x from eavesdropping over the private channel. 

4. REDUCTION OF THE EAVESDROPPER'S INFORMATION 

Assuming that Alice and Bob agree on their strings as a result of one of the protocols discussed 
above, Eve has two different sources of information on that string: deterministic information obtained 
from eavesdropping on the private channel, as the original random bit string was being transmitted, 
and stochastic information resulting from eavesdropping on the public channel, as the agreement pro- 
tocol was being carried out. 

In this section, we investigate how to reduce Eve's information arbitrarily close to zero, at the 
cost of slightly shrinking the random bit string shared between Alice and Bob at the end of the proto- 
col. In a first step, we assume that no eavesdropping on the private channel has occurred, but that 
tampering and transmission errors were possible. In a second step, we assume to the contrary that a 
limited amount of eavesdropping on the private channel is susceptible of having occurred, but that it 
is not necessary to carry out an agreement protocol from Section 3, thus depriving Eve from this 
potential stochastic information. Finally, the full paper considers the case where both sources of 
information are simultaneously available to her. All these protocols are secure against an eaves- 
dropper with unlimited computing power. 



472 



4.1. Reducing the public channel eavesdropper's information 

Let us assume for the moment that Eve did not attempt eavesdropping on the private channel, 
but that she has complete information on the error detection protocol carried out between Alice and 
Bob over the public channel. Let x be the random string of length N on which Alice and Bob have 
just agreed, and let/ : {0,1 ) N — > {0,1 } K be their error detection function. Eve knows the A"-bit value 
of f(x), together with the function / itself. Her information can be characterized by the set 
C = {z e {0,1} W \fiz) =f(x)} of possible candidates for x. From Eve's point of view, each element 
of C is equally likely to be the string x currentiy shared between Alice and Bob. Notice that Alice 
and Bob also have complete knowledge on the set C. 

In order to reduce Eve's information, Alice and Bob publicly agree on a function 
g : {0,1 } w {0,1}*, for some integer R < N-K, such that knowledge of the set C gives arbitrarily 
little information on g{x), or perhaps even none at all. The final string on which Alice and Bob agree 
is thus g(x). In other words, the purpose of this function g is to shrink the string x by at least K bits, 
in order to compensate for the K bits of information that knowledge of C gives Eve. 

4.1.1. The case of truly random functions 

Assume the error detection function / was chosen randomly among all iV-bit to AT-bit functions. 
Let g : {0,1 ^ -> {0,1 } R be the function g(x) = x mod 2 R . Let S = N-K-R, then 

Theorem 8. The expected amount of information known by Eve on g(x) from knowledge 
of/, g mdf(x) is less than 2^/ln2 bit. 

Here, S should be thought of as the number of additional bits sacrificed to privacy. Sacrificing one 
more bit in the final string chops in half Eve's information about it This holds even if Eve knows in 
advance which information reduction function g is to used. Any other equitable JV-bit to R-bit func- 
tion would have performed just as well. 

4.1.3. The case of universal hashing 

Let us now assume that a practical error detection protocol was used: the function 
/: {0,l} w -» {0,1}*' was randomly chosen among some universal 2 class of hash functions. Rather 
than developing a general theory of information reduction in this context, let us design an ad hoc 
technique for a given universal 2 class. 

Let a and h be elements of GF(2 W ) [Be] such that a #Q. The degree one polynomial 
1aj>( x ) = ox + b, arithmetic being done in GF(2' V ), defines a permutation of GV(2 N ). If we let 
o : {0,1 } w -» QV{2 N ) stand for the natural one-one correspondance, this induces a permutation 
z aJb : {0,1}^ -> {0,1}" defined by n^x) = (y'\q ab [a(x))). Therefore, for any fixed K < N, the func- 
tion h aJ> : {0,l} jV {0,1}* defined by h^ b {x) = K ab (x) mod 2 K is equitable. Futhermore, the class of 
all such functions h a b , for every a, b e GF(2 W ), a * 0, forms a universal 2 class of hash functions, so 
that it can be used for the error detection protocol. 

Theorem IS. Let a and b be any elements of GF(2 A ') such that a * 0. Let x be a random 
string of length iV. Then knowledge of a, b and h ab (x) gives no information on the length 
N-K string defined as n a ,b( x ) c " v 



473 



Use of this universal 2 class allows Alice and Bob to verify whether their strings are identical, 
with a probability of error at most 2~ K . If they turn out to be the same, they can be transformed into 
a new string that is only K bits shorter, on which Eve has no information at all. This is optimal. 

4.2. Reducing the private channel eavesdropper's information 

Let us now assume that partial eavesdropping has occurred on the private channel. Let A' be an 
upper bound on the number of bits of information thus obtained by Eve, where K < N. This can be 
formalized as follows in general: Eve chooses any function e : {0,1}^-* {0,1}*, and she obtains the 
value of e{x) after x has been transmitted over the private channel. Of course, Alice and Bob have 
no information on which function e was chosen by Alice, except for an upper bound on K. 

The effect of eavesdropping over the private channel is very similar to that of eavesdropping 
over the public channel, as described in Section 3, in that the information gained by Eve can be 
characterized by a set E = {z e {0,1 } N | e(z) = e(x)} of possible candidates for x. However, there is a 
fundamental difference: it is no longer true that Alice and Bob have complete knowledge on E. For 
this reason, it is not possible for them, in general, to eliminate Eve's information with certainty. 

Theorem 17. No matter how Alice and Bob choose their function g : {0,1}^-* {0,1 } R , 
for any R > 0, there always is an equitable function e : [0,1}^ -> {0,1}*-, for any K > 0, 
such that knowledge of e, g and e(x) yields information on g{x). 

Therefore, the best Alice and Bob can hope for is to reduce arbitrarily Eve's information. There 
can be no analogue to Theorem 15. Nonetheless, if we restrict even further Eve's choice of e, so that 
she can only read a selection of K physical bits of x. it becomes possible again for Alice and Bob to 
eliminate her information entirely, as discussed in Section 5. 

For simplicity, let us assume that transmission errors and tampering are not a worry for Alice 
and Bob, so that an error detection protocol is not carried out. This assumption is removed in Section 
4.3 of the full paper. Let x be the length N bit string common to Alice and Bob, and let e(x) be the 
K-bit information known by Eve about x. Alice and Bob wish to publicly agree on some function 
g : {0,1 } w — > {0,1}*, for some R < N-K, such that knowledge of e, e{x) and g leaves Eve with an 
arbitrarily small fraction of one bit of information about g{x). 

Here again, we consider two approaches for the reduction of Eve's information: one based on 
truly random functions and one based on universal hashing techniques. The first approach is only of 
theoretical interest, but the second one is efficient in practice. 

4.2.1. The case of truly random functions 

Theorem 19. Let e : {0,1}" -» {0,1}^ be any function, let S < N-K be a security parame- 
ter, and let R = N-K-S. If g : {0,1}" — » {0,1}* is chosen randomly, the expected amount 
of information on g(x) given by knowledge of e, g and e(x) is at most 2~ 5 /ln2 bit. 

4.2.2. The case of universal hashing 

Contrary to the error detection protocols of Section 3, it is no longer sufficient to consider 
universal 2 classes: here, we use strongly universal 2 classes fWC]. 



474 



Theorem 21. Let e, S and R be as in Theorem 19, let H be a publicly known strongly 
universal 2 class of hash function from {0,1 } A ' to {0,1}^ and and let g be a function chosen 
randomly within H. The expected amount of information on g(x) given by knowledge of 
e, g and e(x) is at most 2~ s /ln2 bit. 

The above theorem is true despite the fact that Eve already knows the class H, but of course not the 
specific function g, when she gets to choose her function e. 

5. ELIMINATION OF THE EAVESDROPPER'S INFORMATION 

The protocols of Section 4.2 should be sufficient for most applications, despite the fact that Eve 
still has an arbitrarily small fraction of one bit of information on the resulting shared random string. 
Although we were able to eliminate her information entirely in Theorem 15, the techniques used 
could only be applied because Alice and Bob had complete knowledge of Eve's information. As 
shown in Theorem 17, this cannot be extended whenever Eve is allowed to access information of her 
choice from the private channel transmission. 

In this section, we investigate a protocol by which Alice and Bob can nonetheless wipe out 
Eve's information, assuming that she obtained a maximum of K physical bits of her choice from the 
private channel transmission. Although the value of K is known to Alice and Bob, they do not know, 
of course, which particular bits of their string are compromised. This protocol is expensive in the 
sense that the resulting string is generally substantially shorter than those resulting from the protocols 
of Section 4.2; however, this is the unavoidable price to pay in order to make sure that Eve is left 
with no information at all. 

5.1. The notion of (N, J, AT)-functions 

For any integers N, J and K such that N > J+K, J > 0 and K > 0, a function / : {0,1 } N -» {0,1} 7 
is said to be (N, /, K) if, no matter how one fixes any K of its input bits, each of the 2 J output bits 
can be produced in exactly 2 N ~ J ~ K different ways by varying the remaining N-K input bits. Intui- 
tively, an (N, J, K>function compresses an N bit string into a / bit string in such a way that 
knowledge of any K of the input bits gives no information on the output This is equivalent to the 
notion of i-resilient functions independently introduced by [CGHFRS]. 

Given such a function, Alice and Bob can apply it to their respective strings, thus producing a 
new (shorter) string on which Eve has no information. Notice that this still holds even if she already 
knows which function will be used by Alice and Bob in advance of her deciding which K bits to read 
from the private channel. Therefore, the subsequent public transmission between Alice and Bob is 
not necessary in this case, as it can be replaced by a standard protocol. 

The case / = N-K is the best possible because there is no hope to produce a completely secret 
string of length N-K+l if Eve knows K of the original N bits. A function / that is (,V, N-K, K) is said 
to be (N, K). The following theorem shows how to build {N, /T)-functions whenever they exist. 

Theorem 23. 

1) For any N > I, there are (7V,1) and (iV, N-^-functions. 

2) For any N > 3, there are no (A r , K>functions whenever 1 < K < N-\. 



475 



5.2. How to build [N, J, K)-functions 

We wish to answer the following question: given N and K, what is the maximum value for J 
such that an (N, J, ^-function exists? In other words, what is the longest secret random string on 
which Alice and Bob can agree if they start from a random string of length N, of which K bits are 
compromised. Theorem 23 shows that J must be strictly smaller than N-K unless K - 1 or K = iV-1. 

We were unable to answer the above question in its full generality. For this reason, we restrict 
our attention to the special class of (N, J, AO-functions for which every output bit is produced as the 
exclusive-or of some of the input bits. Such functions are referred to as xor-(N, J, Af)-functions. We 
conjecture that these functions are as efficient as possible, in the sense that if no x.or-(N, J, K)- 
functions exist for given values of /V, / and K, then no general (N, J, A>functions exist either. This 
Xor-Conjecture is proved in [CGHFRS] for the case J -2, but it is not believed in general by all 
members of [CGHFRS]. 

The following characterization, known as the Xor-Lemma, allows to establish an equivalence 
between xor-(rV, /, K)- functions and binary linear codes [MS]. 

Lemma 25 (independently discovered by [CGHFRS]). Let M be a JxN Boolean matrix. 
Let /: {0,1} W — ► {0,1} 7 be the function represented by U in the natural way (i.e. 
f(x)' = Mx 1 , all operations being performed modulo 2). The function / is (N, J, K) if and 
only if the exclusive-or of any non-empty set of rows of M contains at least K+l ones. 

The equivalence is now stated: 

Theorem 26 (independently discovered by [CGHFRS]). For given values of N, / and K, 
there exists an xor-(rV, /, A")-function if and only if there exists an [NJ] binary linear code 
with minimum distance at least K+l between any two codewords. 

Consequently, our problem is equivalent to a classical problem of algebraic coding theory. 
Unfortunately, no efficient algorithms are known, much less closed formed formulae, to determine the 
largest possible minimum codeword distance among all [N, J] binary linear codes. There are, how- 
ever, several classical lower and upper bounds on this value [MS], and these bounds apply just as 
well to our problem. 

For instance, Hamming codes tell us that xor-(2 i/ -l, 7 l -L-\, 2)-functions exist for every L > 2. 
Conversely, Hamming's upper bound show that no xor-(2 £ -l, 2 L ~L, 2)-functions can exist. Elimina- 
tion of Eve's information in this case (K=2) costs L-2-5 more bits than if we had been satisfied to 
reduce her information below 2~ s fln2 bit, as in Section 4.2. Similarly, Griesmer's upper bound and 
the simplex code allow to build xor-(2 L -l, L, 2 i " 1 -l)-functions for any L > 2, whereas neither xor- 
(2 L -i, L, 2 i ~ 1 )-functions nor xor-(2 L -l, L+l, 2 i ~ I -l)-functions can exist. Finally, Varsharmov- 
Gilbert's lower bound together with McEliece's upper bound allow to construct xot-(N, J, K)- 
functions such that J is at least half the optimal (xor) value, as long as KIN < 0.3 and N is large 
enough. We encourage the reader to consult [CGHFRS] for additional results on (jV, J, K) (alias 
/-resilient) functions. 

6. CONCLUSIONS 

If no eavesdropping occurred over the private channel, it is possible for Alice and Bob to pub- 
licly verify that no transmission errors nor tampering occurred either, with a 2~ K error probability, 



476 



;nd end up with an entirely secret final string that is only K bits shorter than the original private 
ransmission. This is optimal. A somewhat shorter common string, on which Eve still has no informa- 
ion, can also be obtained with high probability despite transmission errors over the private channel. 

If partial eavesdropping occurred over the private channel, leaking up to K bits of information to 
Eve, in Shannon's sense, it is still possible for Alice and Bob to publicly verify that no transmission 
;rrors nor tampering occurred, with a 2~ L error probability, and end up with a final string that is 
K+L+S bits shorter than the original private transmission, on which Eve has less than 2~ s /ln2 bit of 
information. Here again, transmission errors can be handled at the cost of reducing some more the 
length of the final common string. 

Finally, if partial eavesdropping over the private channel is restricted to K physical bits secretly 
chosen by Eve, it becomes possible again for Alice and Bob to verify with high probability that no 
errors nor tampering occurred, and end up with a new string on which Eve has no information what- 
soever. However, the new string is substantially shorter than if Alice and Bob had tolerated 
knowledge by Eve of an arbitrarily small fraction of one bit of information. 



7. REFERENCES 



[Be] E. R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, New York, 1968. 

[Br] G. Brassard, "On Computationally Secure Authentication Tags Requiring Short Secret 

Shared Keys", in Advances in Cryptology: Proc. of Crypto 82, D. Chaum, R. L. Rivest 
and A. T. Sherman, eds., Plenum, New York, 1983, pp. 267-275. 

[BB1] C. H. Bennett and G. Brassard, "Quantum Cryptography and its Application to Provably 
Secure Key Expansion, Public-Key Distribution and Coin-Tossing", in IEEE International 
Conference on Computers, Systems and Signal Processing, Bangalore, India, December 
1984, pp. 175-179. 

[BB2] C. H. Bennett and G. Brassard, "An Update on Quantum Cryptography", in Advances in 
Cryptology: Proc. of Crypto 84, G. R. Blakley and D. Chaum, eds., Lecture Notes in 
Computer Science 196, Springer- Verlag, Berlin, 1985, pp. 475-480. 

[BBR] C. H. Bennett, G. Brassard and J.-M. Robert, "Privacy Amplification through Public Dis- 
cussion", submitted to SIAM J. Comput., 1985. 

[CW] J. L. Carter, and M. N. Wegman, "Universal Classes of Hash Functions", /. Comput. Sys- 
tem Sci., 18 (1979), pp. 143-154. 

[CGHFRS] B. Chor, O. Goldreich, J. Hastad, J. Freidmann, S. Rudich and R. Smolensky, "The Bit 
Extraction Problem or t-Resilient Functions", in Proc. 26th IEEE Symposium on Founda- 
tions of Computer Science, IEEE Computer Society Press, 1985, pp. 396-407. 

[DH] W. Diffie and M. Hellman, "New Directions in Cryptoeraphy", IEEE Trans. Information 

Theory, IT-22 (1976), pp. 644-654. 

[G] R. G. Gallager, Information Theory and Reliable Communication, fohn Wiley and Sons, 

New York, 1968. 

[GGM] O. Goldreich, S. Goldwasser and S. Micali, "How to Construct Random Functions", in 
Proc. 25th IEEE Symposium on Foundations of Computer Science, IEEE Computer 
Society Press, 1984, pp. 464-479. 

[GM] S. Goldwasser and S. Micali, "Probabilistic Encryption". /. Comput. System Sci., 28 
(1984), pp. 270-299. 

[MS] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes, North- 

Holland, New York, 1977. 

[WC] M. N. Wegman and J. L. Carter, "New Hash Functions and Their Use in Authentication 
and Set Equality", J. Comput. System Sci., 22 (1981), pp. 265-279. 

[W] A. D. Wyner, "The Wire-Tap Channel", Bell System Journal, 54 (1975), pp. 1355-1387. 



Encrypting Problem Instances 

Or . . . , Can You Take Advantage of Someone 
Without Having to Trust Him? 

Joan Feigenbaum* 

Computer Science Department 
Stanford University- 
Stanford, CA 94305 



1. Introduction 

This paper describes ongoing work on the task of encrypting problem in- 
stances, also known as computing with encrypted data. A problem is specified 
by a function / and an instance by a value x in the domain of /. The scenario 
involves two people, A and B. A has instances {xi} of / to which she needs an- 
swers, but she lacks the resources to compute them. We use the term resources 
completely generally-she may be lacking time, space, algorithmic knowledge, 
or appropriate hardware, or she may simply be too lazy to implement a solu- 
tion that she knows others have already implemented. B has the resources to 
compute f{x) and is willing to let A use them, i.e., he is willing to send her 
f{x) if she sends him x. She would like to take advantage of his generosity 
without having to trust him, i.e., she does not want to reveal any more about 
her data than she must in order to enable him to compute the correct answer. 
Intuitively, we say that / is encryptabh if A can easily transform instance x 
into instance x', obtain f(x') from B, and easily compute /(x) from f(x') in 
such a way that B cannot infer x from x' . 

* The author did some of this work while at AT&T Bell Laboratories for 
the summer. During the academic year, she is funded by a Xerox Corporation 
Fellowship and a grant from the AT&T Bell Laboratories Graduate Research 
Program for Women. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 477-488, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



478 

In the commutative diagram of Figure 1, the horizontal arrows x — * x' 
and f(x') — ► f(x) represent computations done by A, and the vertical arrows 
x — ► f(x) and x' — ► f(x') computations that only B can do. B actually does 
the computation x' — ► f(x') but not the computation x — ► /(x) because A 
does not want him to know x. The instance x is called the cleartext instance 
and the instance x' the encrypted instance. 

B 

A x • >x' 

I 

I 



Figure 1. Because the diagram commutes, A learns the value of /(x). A 
does the inexpensive computations x — ► x' and f(x') — > f(x)- B does the 
expensive computation x' — ► f(x'). 

What follows is an attempt to formalize the statement "B cannot infer 
x from x'" and to give important examples of encryptable problems. Under 
one plausible definition of encryptability, all NP-complete problems that are 
P-isomorphic to CNF-SAT are encryptable. 

It is important to keep the following aspects of the problem clear: 

1) A's mistrust of B is confined to her fear that he will do something 
objectionable with her data; that is, she does trust him to give her the right 
answer f(x') to her encrypted instance. 

2) Encryptability is a property of the problem /, not of a particular so- 
lution to it. Thus, in her search for an encryption scheme, A cannot make 
assumptions about B's algorithm for computing f(x'). 



479 



3) A is not searching for a public key encryption algorithm. The secu- 
rity of x may rest on the fact that probabilistic choices she makes during the 
computation x — ► x' are made in secret. 

2. Motivating Examples 

Example 1 is a scheme for encrypting instances of the discrete logarithm 
problem. As we go on, we will only consider formal definitions of encryptability 
that accept the scheme in Example 1. because it very clearly meets A's needs. 

Example 1: Fix a large prime p and a generator g for the cyclic group Z*. For 
x € Z*, A wishes to find the unique exponent e = f(x) in {1, ... ,p — 1} such 
that g e = x mod p. To encrypt the instance x, she chooses a random element 
c of {1, . . . ,p — 1} and lets 

x 1 *— x • g c mod p. 
She sends x' off to B, and decrypts the answer by computing 

f(x) *— f{x') — c modp — 1. 

This scheme is obviously feasible: Simple arithmetic shows that she will 
get the correct value for the discrete logarithm of x, and both computations 
x ■ g c modp and f(x') — c mod p — 1 can be done in time polynomial in logp. 
More importantly, it is also secure, because, for any pair of values x and x' in 
{1, . . . ,p — 1}, there is an exponent c such that x' = x • g c mod p. Thus we can 
say quite literally that, without knowing c, B cannot infer x from x' . 

Example 2 is a scheme for encrypting instances of the clique problem that 
I'd like to reject because it's not secure. The analysis of Example 2 will point 
us to a precise definition of security. The scheme uses the following definition of 
graph multiplication: If G and H are undirected graphs without self-loops, then 
G[H] ("G composed with H") is a finite graph with V{G[H]) = V(G) x V(H) 
and E(G[H]) = {{x.y) — (v,w): x — v e E(G) or x = v and y — we 
E(H)}. By the clique number of a graph G, we mean the number k such that 
G has a clique of size k but no clique of size k + 1 . 



480 



Example 2: A's instance i is a pair G, k, where G is a finite, undirected graph 
without self-loops and fc is an integer between 1 and |V(G)|, about which she 
inquires "does G have a complete subgraph with k nodes"? To encrypt x, A 
chooses a random graph H with clique-number j and computes 

x' «- G[H], kj. 

The answer to x' that she gets from B is the same as the answer to a:, as the 
following lemma shows. Thus, the decryption step f(x') — ► f(x) is trivial in 
this scheme. 

Lemma 1: If H has clique number j, then G has a chque of size k if and only 
if G[H] has a clique of size kj. 

Proof: If {vi, . . . , tifc} is a clique of G and {tui, . . . w 3 } is a clique of H, then 
{(v a ,Wf)),l < a < k, 1 < b < j} is a clique of G[Hj. Conversely, if C — 
{xi, . . .Xfc 3 } is a clique of G[H], then no more than j nodes in C can lie in a 
single copy of H. So C intersects at least k copies of H. Between any pair of 
these copies, there is at least one edge, and so all possible edges are present. 
Hence these copies correspond to at least k nodes of G that form a clique. | 

The scheme in Example 2 is also feasible: A can grow H from one or 
more cliques of size j by adding only nodes of degree less than j, and she can 
construct E(G[H\) straightforwardly in time 0{\E(G)\-\E{H)\). But we claim 
that the scheme is not secure. It is insecure because of the small number of 
possible cleartext instances that can correspond to an encrypted instance G' , k'. 
Coppersmith and Feigenbaum show in [CF] that most composite graphs G' can 
be written as G[H) for only one pair of graphs G, H and that if a graph has two 
inequivalenl, factorizations G^H^ G 2 [H 2 ], then |V(Gi)| > jV(G 2 )|- Thus 
the number of possible cleartext instances that can be encrypted as G', k' can 
be very generously upper-bounded by the number of integer factorizations of 
|V'(G")| times the number of integer factorizations of k', which is all polynomial 
in |V(G')|. In the rare cases in which B cannot infer a unique G for which 
G[H] = G' , he can at least infer that G is a member of a small set. 

But how can he infer this information? In other words, what is the com- 
plexity of factoring graphs under this definition of multiplication? Feigenbaum 
and Schaffer have shown that it is the same, to within polynomial factors, as 
the complexity of testing whether two connected graphs are isomorphic [FS]. 



481 



Because there is no known polynomial-time algorithm for testing graph isomor- 
phism, one is tempted to say that graph multiplication is a one-way function 
and hence this scheme is secure. Recall, however, that B is solving instances 
of the clique problem. So, unless P = NP, he has more than polynomial time 
and could decide to spend it decrypting x' rather than solving it. 

In this crucial way, our version of computing with encrypted data departs 
from recent work on cryptography by the theoretical computer science com- 
munity. We want to say what it means to encrypt instances of hard problems, 
for which B has to be given a lot of time, and hence cannot allow schemes 
whose security rests on intractibility assumptions. Rather than saying, as has 
been the fashion in computer science, that the cryptanalyst cannot decrypt the 
instance he sees because he does not have enough time, we want to return to 
more conventional criteria in cryptography and say that he cannot decrypt it 
because he does not have enough information. This is the case in Example 
1, where B cannot figure out anything interesting because he does not know 
which value of c was used in computing x' . 

3. A Precise but Lenient Definition of Encryptability 

In this section, we explore the consequences of the lesson of Example 2. 
The graph-composition scheme fails because the number of cleartext instances 
that correspond to a given encrypted instance is too small. In the following 
definition of a successful encryption scheme, this situation is precluded explic- 
itly. 

Suppose for now that / is a decision problem. In her encryption algorithm 
E, A will combine elements of Dom(f) with keys drawn from some convenient 
set K. The nature of K depends on the problem /. In Example 1, K was the 
set of exponents {1, ... ,p — 1}. 

Definition 1: E : Dom(f) xA'-* Dom(f) is a successful encryption function 
for the decision problem / if: 

1) E(x,k), x G Dom(f), k £ K, can be computed in time polynomial in 

l x l> 

2) E(x, k) is a yes-instance of / if and only if x is a yes-instance of /, 



482 



3) If x' is in the range of E, then 

\{x: 3k £ K: E(x, k) = x'}\ £ 0{p{\x'\)) 
for any polynomial p, and 

4) If E(x,k 0 ) = x' for a particular key k 0 , then 

\{k: E(x,k) = x'}\ = 0(q{\x'\)) 

for some polynomial q. 
Conditions 1 and 2 ensure that the encryption scheme is feasible; in fact condi- 
tion 2 eliminates the need to do any decryption f{x') — ► /(z)- The moral of 
Example 2 is embodied in condition 3, which says that the number of cleartext 
instances in the preimage of a particular encrypted instances x' is superpoly- 
nomial is the size of the instances. Condition 4 is a technical requirement for 
security: Say x' £ Range(E), \x'\ — n, and {x 0 , . . .i 2 n-i} is the complete 
set of cleartext instances in its preimage. If {ki, . . . .ko*} is a complete set 
of the keys that can result in the encrypted instance x', E(xo,ki) = x' for 
2 n-i + l < i < 2 n , E(x u ki) = x' for 1 < i < 2 n -\ and E(xi,kj) ^ x' for 
1 < i < 2 n ~ l and i j, then there are a superpolynomial number of preimages 
of x', but they are extremely unequally probable. If A draws keys uniformly 
from . . . fc2«} and happens to wind up with encrypted instance x', then 
the probability is at least \ that she started with cleartext instance xq. This is 
not possible if condition 4 is satisfied. Note that there is no requirement that 
the function J57 be surjective. 

Example 3 is a scheme for encrypting instances of the Comparative Vector 
Inequalities (CVI) problem; it is clear that the scheme satisfies conditions 1, 3, 
and 4, so the proof is omitted. Plaisted showed that CVI is NP-complete [P] . 

Example 3: Each instance of CVI consists of two sets of m-tuples of integers 
{x~i, . . . , ~x~k} and {yT, . . . , yj} about which A asks whether there is an m-tuple z 
such that the number of ~x~l satisfying a?7 > 1 is strictly greater than the number 
of yj satisfying yj > 1, where u > v if and only if no component of u is less 
than the corresponding component of v. To encrypt an instance, A chooses an 
element w € Z m and computes 

E{{x~[,...,xZ}, {W, ■■■,¥!}, w) = {xT+w, ...,xk+w}, {yI+™,---,¥i + ™}- 



483 



Then z satisfies \{xi\ x,- > z}\ > \{yj: yj > z}\ if and only if z' = z +w satisfies 
{x'r x\ > z'}\ > {{y'y. y' 3 > where x' { = x\ + w and j£ = it/J + 

Having shown that one NP-complete problem admits an encryption scheme 
satisfying Definition 1, we cannot avoid asking whether they all do. For each 
NP-complete problem /, there is a polynomial-time reduction r of / to CVI that 
;akes yes-instances to yes-instances and no-instances to no-instances. Can A 
encrypt an instance x of / by first applying r and then applying the encryption 
function E from Example 3 to r(x)? Not necessarily: The fact that r may not 
be surjective prevents us from proving that the mapping Eor satisfies conditions 
3 and 4 of Definition 1. 

If r were truly a structure preserving, polynomial-time computable map- 
ping, then E could be composed with it to yield an encryption function for /. 
Berman and Hartmanis consider such a class of mappings, the p-isomorphisms, 
in [BH] . We will restate one of their results and then use it to prove something 
general about the encryptability of NP-complete problems. Let £ and V be two 
alphabets, C a subset of £*, and D a subset of T*. A p-reduction of C to D 
is a transducer T : S' -> T* that runs in polynomial time such that T(x) £ D 
if and only if x 6 C. A p-isomorphism is a bijection f : E* — > T* such that / 
is a p-reduction of C to D and f~ x is a p-reduction of D to C. Note that the 
functions / and /~ 1 run in polynomial time on £* \ C and T* \D as well as 
on C and D. 

Theorem (Berman and Hartmanis): An NP-complete set U is p-isomorphic 
to CNF-S AT if and only if there exist two p-time computable functions Su and 
Du such that 

(i) (Vx,y) [Su{x,y) G U iff are 17], 

(ii) (V*,y) [Du{Su{x.y)) = y]. 

It is straightforward to find appropriate functions S and D for the CVI 
problem of Example 3. 

Lemma 2: CVI is p-isomorphic to CNF-SAT. 

Proof: Suppose (X = {x~[. .... xj}. Y = {t/T, . . . , yl}) is an instance of CVI, 



484 



where x; = (xu, x im ) and y i = (yji,. . . , yj m ). Then put 

Scvi((X,Y),v) = ({ii = (ar n , ■ ••,iim,u) = {xki,---,x km ,v)}, 

Wl = (yil,---,yim,w),---,y! = (j/;i,..-,2/Jm,w)}). 

We have S C vi(X, Y, v) € CVI if and only if (X, Y) € CVI because (z lt ..., z m ) 
is less than or equal to more xfs than yj's if and only if (zj., ... , z m , v) is less 
than or equal to more a^'s than y^s. The obvious algorithm for Devi (scan 
#1 and return its rightmost component) gives us Dcvi(Scv\{(X,Y),w)) = w. 
I 

Berman and Hartmanis state that they know of no NP-complete problems 
that are not p-isomorphic to CNF-SAT. In particular, they show that CLIQUE 
is p-isomorphic to CNF-SAT. The question of how many p-isomorphism classes 
there are among the NP-complete problems remains open, but Mahaney sub- 
sequently proved that the number is either one or countably infinite [M]. By 
Lemma 2, all the NP-complete problems that have been classified are in the 
same p-isomorphism class as CVI. 

Lemma 3: If / is a decision problem that is p-isomorphic to CVI, then / is 
encryptable under Definition 1. 

Proof: Let Ecvi be the encryption function for CVI from Example 3, 2 be an 
instance of /, and <f> be a p-isomorphism of / onto CVI. Then the function 

E f {x,w) = <f>- 1 {E C vi{<f>{x),w)) 

is an encryption function for /. 

Because Ecvi, 4>, and 0 _1 run in polynomial time, take yes-instances to 
yes-instances, and take no-instances to no-instances, Ef does as well; thus 
Ef satisfies conditions 1 and 2 of Definition 1. If x' € Range(Ef), then 
4>(x') € Range(Ecvi); each instance in the preimage of <f>{x') under Ecvi 
is of the form 4>{x) for a unique instance x of /, because <p is a bijection. 
Thus \{x: 3w: E f {x,w) = x'}\ = \{6{x): 3w\ E C vi{<?{x),w) = <i>{x')}\ is not 
0(p(|x'()) for any polynomial p. (Actually, we see immediately that it is not 
0{p(\<b{x')\)) for any polynomial p, but this is equivalent, because <f> can cause 
only polynomial growth or shrinkage in the size of both yes- and no-instances 
[M].) This means that Ef satisfies condition 3. The proof that it satisfies 
condition 4 is almost identical. | 



485 



The following theorem goes as far as we can go by combining Lemmas 2 
and 3 with the results of [BH]. No definitive statement can be made about which 
NP-complete problems are encryptable under Definition 1 without settling the 
question of whether they axe all p- isomorphic. 

Theorem 1: All problems that are in the same p-isomorphism class as CNF- 
SAT are encryptable under Definition 1. No NP-complete problems are known 
to He outside of this class. 

Finally, we need to exhibit an encryption scheme for the discrete logarithm 
problem that satisfies Definition 1. First observe that it is possible to pose the 
problem in yes/no form. For fixed p and g, each instance is a pair (x, [a, &]), 
where the second argument is a subinterval of [1, p — 1]. All arithmetic is done 
in Z p ; so if a > b in Z, the elements of the subinterval are a, a + 1, . . ., p — 1, 
1, 2, . . ., b. The answer to the instance (x, [a, b]) is "yes" if and only if there 
is an e £ [a, b] such that g a ~ x mod p. Binary search is used to answer an 
instance of the standard discrete logarithm problem in <9(logp) iterations of 
the yes/no version: First choose a random element e of [1, p — 1], set [a, b] to 
[e, e+ 2 §^- — 1 modp — 1], and set [A, B] to [1, p - 1]. Then repeat these steps 
until the discrete logarithm of x is in hand: Submit the instance (x, [a, b]) 
to the yes/no version of the algorithm. If the answer is yes, then set [A, B] 
to [a, b] and set [a, b] to a random subinterval of this new [A, B] of size 
\ A ~B\ +1 . If the answer is "no", then leave [A, B] unchanged and set [a, b] 
to its complement in [A, B). The logarithm of x results from an affirmative 
answer to an instance of the decision problem in which a = b. In order to 
encrypt an instance of the standard version, choose a random c as in Example 
1, go through the binary search with g c x raodp as the first argument and both 
endpoints of every interval translated by c mod p — 1, and subtract c from the 
final answer. 

The results we get with Definition 1 are unsatisfactory. It is possible for 
an encryption scheme to meet the requirements and still be vulnerable to the 
criticism that it doesn't really hide anything. This is the case in Example 3, 
where the possible preimages of an encrypted CVI instance are numerous, and 
they are syntactically different, but they have a lot of structure in common. 



486 



The encryption schemes we get for other NP-compIete problems by applying 
Theorem 1 are just as weak in this respect, because they come from Example 
3 via isomorphisms. In order to get a meaningful definition of encryptability 
based on the size of the preimages of encrypted instances, we'd have to make 
precise when we call two instances different enough to count them separately. 

Another important shortcoming of this approach is that it gives no hint 
of how to prove negative results. Our intuition is that many problems of im- 
portance in cryptography, e.g. integer factoring, are not encryptable and that 
the right definition would enable us to prove this. 



4. Directions of Current and Future Work 



The failure of Definition 1 can be restated as follows: we have not said what 
the secret is. Exactly what about the cleartext instance x cannot be inferred 
from the encrypted instance x' without knowledge of the key hi In Definition 
2, we address this question and ignore completely the size of the preimage of 
x', which was the focus of Definition 1. 

Definition 2: Let / be a decision problem. We say that / is encryptable if 
there are two functions Ei and Ei and a set K of keys such that 

1) Ei : Dom{f) x K -> Dom(f), i = 1,2, 

2) Both Ei and Ei are computable in polynomial time, and 

3) Ei(x,k) is a yes-instance of / if and only if a; is a yes-instance, and 
E2(x, k) is a yes-instance if and only if x is a no- instance. 



487 



B 



Figure 2: / is encryptable under Definition 2 

So A is trying to hide the answer, f(x). She chooses a key and, with proba- 
bility ^ , uses the answer-preserving transformation Ey , with probability | the 
answer-reversing transformation E 2 ■ B tells her "yes" or "no" and has only a 
50-50 chance of guessing which is the answer to her original instance. 

The first thing to observe about Definition 2 is that it is unlikely to be satis- 
fied by a problem that's NP-complete: the function E 2 would be a polynomial- 
time reduction from / to its complement and thus could only exist if NP = 
Co-NP. However, there is a natural example of a decision problem for which 
such a pair Ey , E 2 can be found: 

Example 4: Let /(n), n 6 N + , be "yes" if and only if n has an odd number 
of distinct prime factors. The key-space K consists of small sets of primes. A's 
algorithm for Ey is to pick an even number of primes p\ , . . . , p 2 t and compute 
E\{x, {pi, . . . ,P2t}) — npi m ■ • Piu to reverse the answer in E 2 , she does the 
same thing using an odd number of primes. 

This / belongs to NP n Co-NP and leads us to the 

Open Question: Is every problem in NP Pi Co-NP encryptable under Defini- 
tion 2? 




488 



Finally, it would be very instructive to find some plausible definition under 
which we could prove that integer factoring is not encryptable. It is possible 
that some good would come of an attempt to generalize Definition 2 so that it 
applied to a broader class of /'s than just decision problems. 

5. Acknowledgements 

I would like to thank my advisor Andy Yao for many helpful discussions 
of these ideas. I also got a lot of useful feedback from friends at Stanford and 
at AT&T Bell Labs; special mention is due Eli Upfal for his suggestion that I 
look at Definition 2. 

6. References 

[BH] Berman, Len and Juris Hartmanis. "On Isomorphisms and Density of 
NP- and other Complete Sets", SIAM J. on Comput., 6 (2), 1977, 305-322. 

[CF] Coppersmith, Don and Joan Fcigenbaum. "Finite Graphs with Two 
Inequivalent Factorizations Under the Composition Operator", IBM Research 
Report RC11149, 1985, submitted to Journal of Combinatorial Theory, Series 
B. 

[FS] Feigenbaum, Joan and Alejandro A. Schaffer, "Recognizing Composite 
Graphs is Equivalent to Testing Graph Isomorphism", to appear in SIAM J. 
on Comput. 

[M] Mahaney, Stephen R. "On the Number of p-isomorphism Classes of NP- 
complete Sets", Proc. 22nd Annual IEEE Symposium on the Foundations of 
Computer Science, 22, 1981, 271-278. 

[P] Plaisted, David. "Some Polynomial and Integer Divisibility Problems are 
NP-hard", Proc. 17th Annual IEEE Symposium on the Foundations of Com- 
puter Science, 17, 1976, 264-267. 



DIVERGENCE BOUNDS ON KEY EQUIVOCATION AND ERROR PROBABILITY IK 

CRYPTANALYS IS 

Johan van Tilburg and Dick E. Boekee 

Delft University of Technology 
Department of Electrical Engineering 
Information Theory Group 
P.O. Box 5031, 2600 GA Delft, The Netherlands 

0 . Abstract 

A general method, based on the f-divergence (Csiszar) is presented to 
obtain divergence bounds on error probability and key equivocation. The 
method presented here is applicable for discrete data as well as for 
continuous data. As a special case of the f-divergence it is shown that 
the upper bound on key equivocation derived by Blom is of the Bhatta- 
charyya type. For a pure cipher model using a discrete memoryless mes- 
sage source a recursive formula is derived for the error probability. 
A generalization of the 6-unicity distance is given, from which it is 
shown why the key equivocation is a poor measure of theoretical securi- 
ty in many cases, and why lower bounds on error probability must be con- 
sidered instead of upper bounds. Finally the concept of unicity distance 
is generalized in terms of the error probability and is called the Pe- 
Security Distance. 

1 . Introduction 

Cipher systems have given birth to the possibility of sending secret 
messages via public insecure channels. The secrecy of the messages de- 
pends highly on the strength of the cipher system used. When evaluating 
the theoretical strength of cipher systems, it is assumed that the crypt 
analist behaves rationally, that he or she knows the set of transforma- 
tions, the statistics of the message and the key source. The cryptana- 
list tries to estimate the message used and/or the key from the inter- 
cepted cryptogram. Shannon [1] used a probabilistic model for the theo- 
retical analysis of secrecy systems. This model has been refined recent- 
ly by Jurgensen and Matthews [2]. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 489-513, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



490 



In Shannon's paper it is pointed out that if the cryptanalist inter- 
cepts a cryptogram, he is able to calculate the a posteriori probabili- 
ties of the various possible messages and keys which might have produ- 
ced this cryptogram. This set of a posteriori probabilities describes 
how the cryptanalists knowledge of the message and key gradually be- 
comes more precise as more enciphered text is intercepted. Shannon used 
as a measure of theoretical strength the equivocation which deals with 
a simplified description of the set of a posteriori probabilities. Then 
zero equivocation means that one key or message has a probability of one , and 
all others zero, corresponding to complete knowledge of the original 
key or message. Shannon also noticed that calculating the equivocation 
for the simplest type of cipher and language structure induces formulas 
which are nearly useless. His observation ^hat the complexity of the 
problem suggests a method of approach, since sufficiently complicated 
problems can frequently be solved statistically, leads to the introduc- 
tion of the famous "random cipher". Hellman [3] has shown that the ran- 
dom cipher actually defines a lower bound on the existence of good ci- 
phers . 

Blom [4] followed another way, by deriving an exponentially tight upper 
bound on the key equivocation for a simple substitution cipher (SSC) 
which is computationally more tractable, in Blom [5] an upper bound on 
the key equivocation for pure ciphers is given which exhibits the same 
structure as the bound in [4], Later on, Dunham [6] derived bounds on 
the key appearance equivocation for an SSC and used the results of Blom 
[4] for bounding the message equivocation. Sgarro's paper [7] is based 
on an approach in coding theory, where one estimates error probabili- 
ties with respect to optimal coding problems . Sgarro made use of Kull- 
back-Leibler divergence and composition classes to bound the error pro- 
bability. His main results are asymptotic and contain the same relevant 
parameters as obtained by Blom [4] and Dunham [6]. 

2 . Bounds with f-divergence 

Typical in the approach is the use of information measures. For example, 
using Shannon's information measure leads to easy manipulation in a na- 
tural and intuitive way between different probability distributions 
(pd's). But still the underlying relevant parameter is the error proba- 
bility (Pe) . By bounding Pe with information measures, a region is de- 
termined in which the actual Pe can be found. The uncertainty in the 
value of Pe is resolved only in limiting cases where the bounds are 
tight. An excellent and straightforward use of this approach is given 



491 



by Lu [8], who uses Shannon's information measure to obtain the desired 
relation and applies the Fano inequality to lower bound Pe. 

In the paper we consider the encipher system as a black box. Suppose we 
know the pd of the input (message) and the pd of the output (cryptogram). 
Transform the pd of the output to the input under a known key and com- 
pare the two pd's by means of Ee. Repeat this for all keys and select 
that key for which Pe is minimal. If ties occur then force a decision 
according to an arbitrary rule. Whereas determining Pe in a direct man- 
ner is quite involved, a much more natural way is to make use of the 
concept of distance measures since Pe is actually a distance measure it- 
self. 

The study of bounds on Pe has been of particular interest in the field 
of pattern recognition related to feature selection. Several distance 
measures have been used to obtain bounds on Pe, like Kolmogorov's varia- 
tional distance, the Bha ttacharyya distance, the J-divergence , the (gen- 
eralized) Bayesian distance as well as many others. Much effort has been 
put into generalizing these measures from two classes with equal a 
priori probabilities to classes with non-equal a priori probabilities 
and from there to m classes, with m >_ 2 . The comparison of the various 
bounds on Pe has also received much attention. More details can be found 
in Kanal [9] and in Chen [10]. 

A generalized approach can be given by using the f-divergence , as de- 
fined by Csiszar [11]. In this paper we shall use a slight modification, 
which we shall call the normalized average f-diverger.ce . This divergence 
measure is directly related to Pe by its very definition , and it is there- 
fore convenient for manipulating in this theoretical context. We shall use 
a definition which is sufficient for this paper. More details can be 
found in Boekee and van Tilburg [12] and in [13] [14], 

Before continuing, a short note about the notation. As far as possible 
the notation is in agreement with that of Blom in [4] [5], with the excep- 
tion that the logarithms involved are taken to base 2. Throughout 
this paper we shall use the convention that capital letters denote ran- 
dom variables, boldface letters denote sequences, capital script let- 
ters are reserved for sets and lower case letters represent the elements 
in a set. 

Let # denote an arbitrary (finite) set with cardinal number \$\ ■ # L is 
the class of all sequences s of length L. A sequence (concatenation of 
symbols) s of length L of elements s (not necessarily different) in $ 
is indicated by s L . 

The cipher model is a set of uniquely reversible transformations of 



492 



T = {t^}j_ 1 of a set of possible messages M = (ra n ;N =i into a set of 
cryptograms E = f e n 5n=l' the transf ormations having associated probabi- 
lities P = {p.}^ =1 . J is the cardinal number of the set of keys 
K - ( kj ^ =1 - 

Definition 2.1 : The normalized average f-divergence (for short: f-diver- 
gence) for isonorm-f unctions f (x) is given by: 

f - 5,(1, -2) 

— _ CO ^ 

D, = D. (1; 2) = ,- 



where f is a convex function satisfying: 



lim , f n = lira f(x) 

0 xl 0 



fp = f m (isonorm restriction) , 
f L = f(D 

and | 

P v , c ,L(k 1 /e 1 ') 



D f (1;2) = E . 



P K/E L(k 2 /e ) 



is the average f-divergence for discrimination of key 
k against k ? . By E , we mean the expectation operator. 

^ □ 

If we define f * (x) = x.f(i^) and u L = u(e L ) = P K/E L (k 2 /e L ) , then it 

follows that: 

L, 



f(u ) = h -e 



f,(0) - f*(u 



f*(0) - f^Cs) ' 

and hence 5 = S [f(u L )]. 
E 

Note that Pe = Pe (K/E L ) = 1 - E [max (u L , l-u L ) ] = 2 [min (u 1 ', 1-u )], 

E E 
which shows that the f-divergence includes the error probability as a 

special case for f (x) = Pe(x) = minlx, L-x) . 

Definition 2.2 : The Bhattacharyya distance is given by 
B = - log p , 
where 



z = s(E L /X) = v vC~ (e L A,).p r (e L /k ? ) 

e L ££ L E /K 1 E /K 

is the Bhattacharyya coefficient. 



493 



If we take the a priori probabilities of the keys into account, we 
obtain the next definition. 

Definition 2.3. THe average Bhattacharyya distance is given by 
B = — log p, 
where 



p = p(K/E L ) = E [l/p (k /e L ) .p T{k 7 /e L ) ] 
E L K/E 1 K/E l 



£ l/p T (k lf e L ).P T (k,,e L )' 

Ij c c L KE^ 1 KE 
e E E 

is the average Bhattacharyya coefficient. 

If the keys are equiprobabie it follows that p(K/E L ) = \ p (E L /K) . If we 
set f(x) = -x 1_a , we find that / (x) = x a .(l-x) 1_a . Then the /-diver- 
gence becomes 

5 = E T [/(u L )] = E j [ (u L ) a . (]-u L ) 1_a ], 
1 E L E L 

which is the Chernoff distance C (K/E L ) . For a.= \ we have 

a 



5 = E [/u L . {l-u L )'] = E [/£ " (k /e L ) .P T{k /e L ) ], 
' E L E L K/E 1 K/E 

which shows that the average Bhattacharyya coefficient is a special 

case of this /-divergence. 

Similarly we find for f (x) = | l-x 1//r | r : 



0 f = h - h ■ M r r r 



where 



M = [E L { 
r E L 



? T (k/e L ) I/r - P T (k,/e L ) 1/r 
K/E 1 K/E Z 



r 1/r 

}] 



is the generalized Matusita distance. 

For r=l we have Kolmogorov's variational distance and for r=2 the usual 
Matusita distance. 

In the next theorem a class of upper and lower bounds on the /-diver- 
gence is considered in terms of Pe. A sufficient condition for the vali- 
dity of the theorem is to restrict the /-divergence to symmetric func- 
tions, i.e. /(l-u)=/(u). 



494 



Theorem 2.1. A class of upper and lower bounds induced by Pe on the 
symmetric /-divergence is 

Pe 1 D 1 f ( pe ) • 

Proof : First observe that f (x) is a normalized concave function on 
10, h] and [ *s , 1 ] resp., such that f (x) >_ min(x, 1-x) for x £ [0,1] with 
equality a.t least for x £ {0,%,l}; 

i) since min (u L , 1 -u L ) <_ / (u L ) it follows that 

5 = E T [/(u L )] > E T [min(u L , l-u L ) ] = Pe, 
f E L ~ E L 

ii) D. = E T [f (u^) ] = E . [f (min(u L , l-u L ) ) ] < f (E T [min (u L , l-u L ) ]) 

f E L E " E L 

= f (Pe) . 

□ 

Remark . The theorem also gives bounds for normalized concave functions 
f (x)which do not satisfy the /-divergence . Moreover the symmetric restric- 
tion is not used in the proof of the lower bound. So for the Chernoff 

bound it holds that Pe < C (K/E L ) . 

— a 

In fact, the lower bound stated is a direct upper bound on Pe(K/E L ) . 
The upper bound in this theorem sometimes cannot be rewritten (explicit- 
ly) as a bound on Pe (K/E L ) . This can be a disadvantage if we are interes- 
ted in bounds on Pe(K/E L ). However, the lower bound on Pe (K/E L ) can 
then be computed numerically or indirectly via the upper bound. 

Example 2.1. Bounds for the average Bhattacharyya coefficient. Because 
then fix) ~ Vx. ( 1-x)' , we obtain 

Pe <_ "(K/E") < /pe. (1-Pe) 

and 

k. (1 - /(l - 4 p 2 ) ) < Pe (K/E L ) < p. 

□ 

Example 2.2. 3our.ds for the key equivocation. Because then f (x) =J $ .h Ix) = 
^. [-x.log x - (1-x) . log ( 1-x) ] , we obtain 

Pe < ^.H (K/E L ) < h .h (Pe) , 
where 

H(K/E Ij ) = E T [h(u L ) ] 
E L 

is Shannon's key equivocation. 



a 



495 



The next lemma can easily be verified. A proof can be found, e.g., 
in Ito [15]. The lemma is illustrated in figure 2.1. 

Lemma 2.1 . The relation between the bounds is given by 

Pe(K/E L ) < ^.H(K/E L ) < p (K/E L ) . 



/(u) 



0.5- 




Figure 2.1 . The basic functions which constitute the measures p, 
and Pe. 

Next p will be determined for the general case, after which we shall 
return to the binary case. The model used is that of a pure cipher with 
the following assumptions. 

. The message and the key are stochastically independent. 
. The message source is discrete and memoryless . 



'M 



i 



2 

^2 



N 



. T is the set of all unique invertible transformations t_. of M onto E, 
where the index j is the associated key. 

r = {tj} ; =1 . 

Note that \K\ = J. 
. The cryptogram alphabet E is (not necessarily) identical to M. 



E > 

) 

"t^fE); 



t j (l) 



tj !2) 



Definition 2.4. 



Pure cipher (see Blom [16, theorem 3]). 

A cipher is pure if and only if its set of enciphering 
transformations T is a coset (left or right) in G and 



496 



the keys are equiprobable . 

Remark . 0 is the multiplicative group of all invertible transformations 
of M onto M - 

Following Blom [5], the set of enciphering transformations T forms a 
left coset in the group G. When the keys are equiprobable, it follows 
that the cipher is pure. 

As T is a left coset, we may define 

where g € G and R = { r _. > ^ = ^ is a subgroup in G. 

Recalling Shannon [1], two secrecy systems R and S are similar, if 
there exists an invertible transformation A such that R = A.S. This 
means that enciphering with R is the same as enciphering with S follow- 
ed by the transformation A. It is clear that similarity is an equiva- 
lence relation. The problem of finding bounds for a cipher using the 
set of transformations T is now transformed to a cipher using the set 
of transformations R, where R is a subgroup in G. 

Theorem 2.2. The Bhattacharyya coefficient for the j transformation 
in a pure cipher model T using an N-ary discrete memory- 
less source with a priori probabilities q n is given by 



"^■q -l . . ;L 

n=l 

where 



J n=l r . (n) 



r 1 £ R, S is the group generating T. 
is the identity element in R. 

Proof . Because the keys are equiprobable and independent of the message 
source it follows for L=l that 

PEK (e ' k i> = 5 ■ P M Cr k 1(e)) ' 

l 

where 

N 

P M (x) = I q .: (n-x) . 

n=l 

As stated we compare the pd of the message source with the inversely 
transformed encryption pd which depends on the transformation (key) used. 
By noting that k is associated with the identity transformation, o be- 



497 



*.fter substitution of p_„(e,k.) one easily obtains 

i N 



J n=l rj (n) 

for the extension of the cryptogram (L > 1) follows directly from 
zh.% weak additivity of the Bhattacharyya distance 8 . 

- L.log p = - log p L , 
so that 



p = J . p = ( Z /q n . q — ■} . 

J J n=l r^ (n) Q 

For the binary case reduces to p^ = P = h ( ^q^C-) L . 

Substitution in lemma 2.1 and example 2.1 proves the next theorem. 

Theorem 2.3. Bounds on the average probability of error (or probability 
of incorrect key identification) in a pure cipher model 
using a discrete memoryless source with a priori probabili- 



ties q are: 



h. (l-/a-(4q 1 q 2 ) Xj ) ) < PelK/E^) < k • H (K/E JJ ) < ! 5 .(/4q 1 g 2 ' 



L 



The upper bound on the key equivocation is the same as obtained by Blom 
[4] using an SSC-model ; however, at the same time we have a lower bound 
too. Moreover, for a different cipher model we only have to substitute 
the corresponding p in example 2.1, yielding the new upper and lower 
bounds. This illustrates the general structure of the bounds. 

By a similar argument it can be shown that for the Chernoff bound it 
holds that 

Pe(K/E L ) < C a (K/E L ] = ^.(q^.q^" 3 + q^.q^ 3 ) 1 ^ 
where 0 < a <_ 1 . 

This is a symmetric upper bound, which is minimal for a =! 5; that is, ir 
it coincides with the Bhattacharyya bound. This shows that the Bhatta- 
charyya bound is optimal in this context. 

Thus far bounds on Pe have been considered. In the next theorem some 
recursive properties of Pe are stated. 



498 



Theorem 2.4. For the average probability of error (or probability of 

incorrect key identification) in a pure cipher model using 
a discrete memory less source with a priori probabilities 
p > q it holds that 

i) L is even: Pe(K/E L+1 ) = Pe(K/E L ) - \ (p-q) i L ^ 2 )(/pq) L 

with Pe(K/E°) = 0.5 

ii) L is odd : Pe(K/E L+1 ) = Pe (K/E L ) . 
Proof 

i) If L is even we have 
L+l 
i=0 



Pe(K/E L+1 ) 



i LH-i L+l-i i 

L+l, i L+l-i , p a p q i 

)p q .mini L+1 ' _ — t+^j. L , ± L x,^ L+l-i i > 

p q +? q p q +p q 



L / 2 r,L+l, i L + l-i] L i 2 f[",L, L , L , 1 i L-i 

= /. ( . p q =q. ^ <(.+(, , ) i . p q 

i= 0 l a i i = 0 |> 1 - 1 

= q.Pe(K/E L ) + %( T *L) (pq) L/2 + p . ^ ^ (h^q 1 " 1 

i=0 '- 

= Pe(K/E L ) - Jjfp-q) (^-J (pc) L/2 . 
ii) if L is odd we have 
L+l 

„ ,,,,_,L+1. I f ,L+1. iL+L-ii ,/L+l'l, , L/2 



L+l L+l 



- f ,L. i L-i] ^ 5? [ , L . i L-il ,/L+l\, ,L/2 
= q "iio I 1 P q J i-i L 1-1 9 i~ J lT.+ i l ( P t 3 ) 



q .Pe(K/S L )+/ L ^W q ) 2 + p. i ft^.pV 1 ]- ^l^1 ( P^ L/: 



2 / 1_i \ 2 / 

Since = j L+l ^ ifc follo '" s that Pe(K/E L ' rl ; = Pe (K/E L ) . 



An efficient algorithm can be obtained if thecren 2.4 is written in the 
following way. 



499 



Pe(0) = 0.5, 
A(0) = p - 0.5, 
B = 4. p. (1-p) , 

'or L is even: pe(L+2) = Pe(L+l) = Pe (L) - A (L) 
A(L+2) = A(L) . (1-1/ (L+2) ) .B. 

lemark . Although the key equivocation is a simplified description of 
:he set of a posteriori probabilities, it cannot be transformed into 
m effective algorithm of the above type for an SSC-model. 

'ram the theorem we may conclude that the behaviour of Pe for small L 
.s determined by [p-q . This is in contrast to the longterm exponential 
•ehaviour which is characterized by | v'p - /q'j. 

. discussion of the relations between the different bounds and the ac- 
tual average error probability is deferred to section 4, where the va- 
lance of the bound is investigated too. 

1 • Bound extensions of the Bhattacharyya type 

'.n section 2 we have considered bounds on pe for cipher systems using 
linary sources. We now turn to the N-ary problem where a general bound 
.n terms of the f-divergence can be given. Generally speaking this gen- 
ralized bound becomes less tight for increasing N. However, some parti- 
cular functions allow better bounds . For this reason this section is 
completely devoted to the extension of the Bhattacharyya bound. Further- 
lore there exists a general class of distance measures (for instance 
:he general mean distance [14]) which are inherently based on the N-ary 
iroblem. First, a general bound of the 3ha t Lacharyya type is derived on 
'e(K/E L ) as well as on H(X/E L ), after which the bound is restricted to 
he pure cipher model. Finally, the pure cipher bound is applied in the 
:ase of a discrete memoryless source. 

i direct extension of the Bhattacharyya bound can be found by making use 
if the following theorem: 

'heorem 3.1. The upper bounds on the probability of error in a cipher 



model using an N-ary source are given by 



Pe(K/E L ) < !5.H;K/E L } 



J 



h-log ( 




1=1 j=i 



'here 



= E 




500 



Proof . i) Kovalevski [17] has proved that 

log m + m. (m-t-1) .log(-— ) . (Pe(K/E L ) - -— ) < H !K/E L ) ,with -— < Pe < ~. 

For m=l or 0 _< Pe <_ h this bound reduces to 2.Pe(K/E L ) < H(K/E L ) . This 
holds for Pe > \ too, with the implication that the implicit expression 
is tighter. 



ii) H(K/E L ) = E T [H(K/e L ) ] = 



- S P j (k./e") .log P T (k /e 
L i=l K/E 1 K/E 1 



loa ( Z 



1=1 K/E 



= E 



J J r- 

log S I /P 

i=l j=l K/E 



T (k./e L ).P T (k./e L ) 
1 K/E 11 



J J 
£ log I Z p 
i=l j=l 



This result has implicitly been proved by Blom [4] 
Combining (i) and (ii) yields the theorem. 



For the pure cipher model we have 

J 

. independence of kevs used: £ p 

j = l 



equiprobable keys 



3-3 

1 

J 



3 kj ' 



1 = 1 

for i=j, 



which implies the next corollary. 

Corollary 3.1 . For the upper bounds on the probability of error in a 
Dure cipher model using an N-ary source, we have 
l " r 3 

Pe(K/E ) < (K/E ) < ^logU + I P,.), 

i = 2 13 



where 

o 



ij 



J - Pj_ j and J = | K j 



The next corollary ensues from substituting p^. (Theorem 2.2) in 
corollary 3.1. Because the summation of p ^ ^ is taken over all transfor- 
mations in the group H it makes no difference if we write r_. (n) instead 
of r^(n) . 



501 



orollary 3.2. For the upper bounds on the probability of error in a 
pure cipher model T using an N-ary discrete memoryless 
source, we have 



Pe(K/E L ) < ^H(K/E L ) < ^.log 



J 

1 + Z 



N 



j=l n=l 



n' H r . (n) ' 



here 

■ € R, R is the group generating T and r-^ is the identity element. 

^ a 

he upper bound on the key equivocation is the same as obtained by Blom 
5]. However, the proof is simplified considerably and the general struct- 
ure of the bound becomes clear. 

. lower bound can be found by using the natural multiplicative exten- 
ion of the Bhattacharyya coefficient. A general (non-trivial) upper 
ound for this extension does not exist (van Tilburg [18]) . 

'heorem 3.2. A lower bound on the probability of error in a cipher mo- 
del using an N-ary source is given by 

) [1 - Pe(K/E L )] . Pe(K/E L ) J-1 > (J-]) J_1 . p J , 

J 

i) Pe(K/E L ) > (J-l) . Pj J_1 r 



'here 



J 

n p 

j=l K/E 



T (k./e L ) 1/J 



is the multinlicative extension of 



:he average Bhattacharyya coefficient. 

'roof , i) Define x = x(e L ) = max P (k./e J ) 

j [ K/E ^ 



Then 



n P T (k./e L ) 1/J 
j=l K/E 3 



< E ! x 



J-l 



J-l - 
1/J , 1-x . J 

" j-r 



j-i 



< (E^fx]) 1 ^ . (E J = (l-Pe(K/E L ))^ J . ( PS ^( E > ) J 



or (J-l) 



J-l 



" J 



< (l-Pe(K/E L ) ) . Pe(K/E L ) J 



.i) Simplifying the inequality in (i) by making use of 



(1-Pe) . Pe J_1 < Pe J 1 
.mplxes (— ^— ) 

(J-l) . ~ Pj J_1 £ Pe(K/E L ) 



502 



The proof of the next lemma is similar to that of theorem 2.2. and 
is therefore omitted. 



Lemma 3.1. The multiplicative extension of the Bhattacharyya coeffi- 
cient in a pure cipher model T using an N-ary discrete mento- 
ryless source with a priori probabilities q n is given by 



where 



n q 



n=l j=l 



1/J 
r, (n) 



r- £ R, R is the group generating T and 



J . p. 



Substituting lemma 3.1 in theorem 3.1 yields corollary 3.3. 

Corollary 3.3. A lower bound on the probability of error in a pure 

cipher model T using an N-ary discrete memoryless source 
with a priori probabilities q is given by 



J-l 



n q 



i/J 

r . (n) 



Pe(K/E ) , 



where 



6 R and R is the group generating T. 



For large-sized key spaces we have the tight approximation 



N 

n=l j=l 



n q 



1/J 

r . (n) 



< Pe(K/E 



4 . The Pe-security distance 



The f-divergence is defined in a probabilistic environment and there- 
fore easily fits into the probabilistic model of cryptosystems proposed 
by Jiirgensen and Matthews [2]. In their paper (section 6) they have de- 
fined the B-UD as MIN {L|h(K/E L ) < B). 
L 

They also propose the (ot , B ) -security distance: a system is said to be 
(a, 8) -secure at L if Pr{H(K/e L ) < $} <_ a. in the present section the 
S-UD is related to Pe and is not restricted to the key equivocation 
only. To avoid confusion we refer to this generalized S-UD as the Y-UD. 
When discussing the results of the SSC-model it is observed that Pe is 
a natural (theoretical) security measure. By noting this, Pe is derived 



503 



Eor a random cipher (RC-model) . As a result it is found that at uni- 
2ity distance Pe highly depends on the size of the key space. Hence 
«?e conclude that linking the UD to Pe leads to a better and more ade- 
quate explanation of the unicity distance. Finally, the concept of 
JD is generalized in terms of Pe and is called the Pe-security dis- 
tance (Pe-SD) . This security distance can be considered as a special 
:ase of the Y~UD and includes the original UD found in an RC-model too. 
loreover, it becomes clear that lower bounds are needed to approximate the 
?e-SD. For the key equivocation this means that one must make use of 
zhe Fano-inequality , because the key equivocation itself defines an 
lpper bound. 

En this section our main concern is the binary case. For this reason 
ind to avoid unnecessary notational problems the y-UD is mainly described 
Eor the binary case. 

definition 4.1. The generalized g-unicity distance or, for short, the 
y-UD is defined as 

L( Y ) = MIN{L £ JR + j E T [g(u L ) ] < y} , 
L E L 

«?here 

u L = u(e L ) = P j (k,/e L ) , 
K/E 2 

and g(.) is a normalized function such that g (x) > min(x,l-x) for 
x £ [0,1] with equality at least for x £ {0 , 1} . 

□ 

Dbserve that for g (u L ) = f (u L ) we have the y-VO for the f -divergence, 
whereas if g(u L ) = %.h(u L ) the y-UD for the normalized key equivoca- 
tion is obtained. 

The y-UD not only depends on the measure used, but it depends on the 
aodel used (including the source) too. This is illustrated by the 
following examples : 

Example 4.1. For the v-VD using the key equivocation we have 

L(y) = MIN {L £ j %H (K/E L ) < y} . 
L 

If the key and message sources are independent we find 

L(Y) = MIN [L 6 IR + |H(E L ) - H (M L ) > H(K) - 2.Y>. 
L 



504 



If in addition the message source is memoryless this becomes 
L(Y) = MIN{L £]R + |L > L(0) . (1 - %^ ) } , 

with 

H(K) 



L(0) 



H(E) - H(M) 



Note that H(K/E L ) is convex in the sense that H (K/K L ) - H(K/E L+1 ) > 
H(K/E L+1 ) - H(K/E L+2 ) and H(E) - H (M) = H(K/E°) - HtK/E 1 ), so that 
L(0) can be found as the point of intersection of the straight line 
through H (K/E°) and HtK/E 1 ) with the L-axis. This line defines a lower 
bound on the key equivocation. D 

Example 4.2. For a random cipher model we have 

L{y) = MIN { L £1R + |L > L(0) . (1-2 Y )}, 
L 

with 

log 



L(0) 



log |M | - H L (M) 



L(0) is the original UD for the RC-model obtained by Shannon [1]. H L (M) 
denotes the entropy per symbol in a sequence of L message symbols, i.e. 
H L (M) = H(M L )/L. Note that the c 
necessarily so for other models. 



H L (M) = H(M L )/L. Note that the decrease of L(y) is linear; this is not 



Now we are able to state the next lemma which is a generalization of 
the second part of proposition 7.6 [2] with the assumptions made above. 
The proof is similar and is therefore omitted. 

Lemma 4.1. If Lq is the -y-unicity distance, then for L > L Q we have 

Var L [g(u L ) ] 



Pr{g(u L ) < y} > 



y 2 + Var h lg (u L ) ] 
E 



Let us consider an SSC-model using a binary memoryless message source 
with a priori probabilities p=0 . 6 and q=0.4. The upper and lower 
bounds on Pe (derived in section 2) are applied to this model and il- 
lustrated in figure 4.1, in which the exact value of Pe is given too. 
The figure shows that p and are loose upper bounds for small values 
of L; even at UD they are still not tight. This is also demonstrated 
by the next example. 



505 



Example 4.3. (see also example 7.2 [2]). 

Consider the SSC-model with p=0 . 7 and L=7 (RC-model: UD=8.4). For this 
model we have p (K/E 7 ) =0.27 and b.H(K/E 7 ) = 0.22. 

Although these values are not too high they are still much too optimis- 
tic since Pe(K/E 7 ) = 0.126. 




Figure 4.1. Bounds on the average probability of incorrect key identi- 
fication Pe in a memory less SSC-model with p=0.6. 
0.03_ 




— L 

Figure 4.2. The variance of p (u L ) , ^h (u L ) and Pe(u L ) for a memoryless 
SSC-model with p=0 . 6 . 



506 



In addition to all this, consider L (y) with y constant for the different 
bounds. Now it becomes clear that the g-UD (and thus the U,B)-SD, 
too) is a poor and positively biased estimator of L in Pe(K/E )=y; 
this in contrast to the lower bounds which are negatively biased and 
tighter . 

In figure 4.2. the variance of g (u L ) is shown for the SSC-model. It 
is observed that the variance of H(K/e L ) is maximal at UD, which is 
found for other values of p too„ Moreover, the length of the cipher text 
at which the variance of Pe (u ) reaches its maximum is always less 

than the length obtained by p (u L ) and h(u ). This can be explained 

2 L ~ 2 L 

from the convex nature of Pe (u ) ; this in contrast to p (u ),, which is 

a concave function (see also figure 4.3). Besides this, for the norma- 
lized functions it holds that Var[g(u L )]f E[g(u 1 ')] since 
Var[g(u L )] < E[g 2 (u L )] < E[g(u L )]„ This is illustrated by the next 
example . 

Example 4.4. (see also p. 292 [3] and p. 343 [2]). 

Suppose that after intercepting L enciphered symbols it holds that 

0 1 - 1Q- 10 

n, -i with orobability 

10 20 * lO" 10 , 

in which n^ is the number of spurious key decipherments. Then n ]< .=10 10 
and Var (n k ) w 10 30 . 

In the worst case P (k . /e L ) = P T (k . /.e L ) for all k. and k. in K, 

K/E 1 K/E 1 2 13 

so that the key space must satisfy |K| = 10 +1. For Pe we then obtain 

Pe(K/E L ) « 10~ 10 and Var T [Pe(u L )] » 10" 10 , 

E L 

Since the real key space may be larger, say for example |K| = lO 1 ^ 0 
it follows that 

Pe(K/E L ) « 1C" 90 and Var T [Pe(u L ) i » 10 _170 = 

E L 

So, the interpretation of ri k (and H(K/E L ) also) depends greatly on the 
size of the key space. For this reason it is necessary to utilize nor- 
malized functions. Moreover, the interpretation of the variance be- 
comes more realistic too. „ 



507 




Figure 4.3. The variance weighting for p, H and Pe. 




10 20 30 40 so 



— L 

Figure 4.4. Lower bounds (Lemma 4.1) on Pr{g(u^) < y}for the different 
measures in a memoryless SSC-model with p = 0.6, 

Figure 4.4. in combination with figure 4.1 tells us that Pe (K/E L ) for 
i given y is more reliable than the other measures. Finally it is ob- 
served that in the SSC-model Pe (K/E L ) at L=UD (UD in RC-model) is al- 
lies t constant for different values of p and is approximately 0.12 even 
for UD = 10 6 . 

From the SSC-model it seems that Pe is a good and natural measure of 
theoretical security. For this reason we shall briefly pay attention 
to its behaviour inan RC-model. 



508 



The next theorem is a direct consequence of Heliman's definition of 
anRC-model and the expected number of spurious key decipherments [3], 

Theorem 4.1. The average probability of error (or probability of in- 
correct key identification) in a random cipher model is 
given by 

Pe RC (K/E L ) = i 4^ 1 • 2" L ° R » 2" L - R , 



where 

R = log I M | . (1 



H L (M) 



log ]M]' ' 

Proof. There are |K] different and independent keys so that 
r S 

Pe RC (K/E ) = -t-^t in which n fc is the average number of spurious key de- 



cipherments. According to Hellman [3, theorem 1] we have 
n k = (\K\ - 1).2~ L - R with R = log |M| - H L (M) . Substitution yields the 
theorem. If the key space is sufficiently large we have the nice appro- 
ximation 2 

□ 

In a similar way the other theorems in [3] can be adapted in terms of 
Pe too . 

Remark ■ It is important that the assumptions imposed by the RC-model 
be reasonable for the real secrecy system including the language used. 
For example, not only the uniformly distributed assumption must be 
considered but also the effective size of the key space which depends 
highly on the language used and on the length of the intercepted text. 
For large L the dependence may be negligible , but for small and mode- 
rate values one has to face the fact that some of the keys act similarly, 
i.e. key residue classes must be considered instead of the single keys. 
If a key residue class is detected with a small probability of error the 
remaining keys in this class are indistinguishable. At best one can 
choose a key according to an arbitrary rule. This introduces an extra 
error which depends on the size of the residue class. Note that data 
compression reduces this extra error. So when one' s aim is to protect 
the key, data compression must be considered with care. 

At unicity distance it holds that H(K) = L.R. New the next corollary 
follows immediately from theorem 4.1 and the corresponding remark. 



509 



Corollary 4.1. The average probability of error (or probability of 

incorrect key identification) in a random cipher model 
at unicity distance is given by 

Pe RC (K/ E UD ) =IiO-i l . 

RC >K\ 2 l K ' 

Note that Pe RC (K/E UD ) =0.25 for \K\ = 2. For the SSC-model we have 
found that at L=UD (UD in RC-model) Pe ss(; (K/E UD ) « 0.1 2, which was 
fairly constant even for a UD=10 5 . This discrepancy is due to the fact 
that Pe RC (K/E L ) is an upper bound on Pe ssc (K/E L ) and is tight for 
L >> UD. 

Example 4.5. In an SSC-model using the English language for small 
and moderate values of L the effective number of keys is less than 261 
This is caused by the fact that the average number of different let- 
ters that occur in messages of length L is less than 26. This is il- 
lustrated in table 4.1. At UD in an RC-model the average number of dif- 
ferent letters per message is about 14. Therefore the average probabi- 
lity of error becomes 

Pe RC (K/E ) rj -j^-;- ib 1.10 

1 8 

This means that on the average 1 key residue class to every 10 key resi- 
due classes will be incorrectly identified from the effective number 
of keys induced by the cipher text of UD length. The actual Pe R( ,(K/E UD ) 
depends on the size of the key residue class too, which may be rather 
large. Nevertheless when we know the key residue class we know the 
message too. This explains why it is almost always possible to get a 
unique solution at UD. 

As stated in corollary 4.1 the UD in anRC model defines a Pe which de- 
pends on the size of the key space (the larger the size of the key 
space, the smaller Pe) . As a result the meaning of the UD for differ- 
ent sizes of the key space is also different, in the sense of Pe. Ac- 
tually that is not what one prefers. It is desirable to have a UD for 
which the explanation is independent of the size of the key space. From 
the above arguments it seems that linking the UD to Pe leads to a bet- 
ter and more adequate explanation of the UD . For this reason we will 
generalize the concept of UD in terms of Pe and call the new distance 
the Pe-security distance (Pe-SD) . 



510 



Message length 
L 

(Characters ) 



Average number 
of different 
letters per message 



1000 
1500 



5 
10 
15 
20 
25 
30 
40 
50 
75 
100 
200 
300 
400 
500 
700 



4.5 
7.8 
10 .2 
12.0 
13.4 
14.5 
16.1 
17.3 
19.2 
20.4 
22 .4 
23.0 
23.4 
23.7 
24 .2 

24 .6 

25 . 2 



Table 4.1. The average number of different letters in L letters of 

English text. This table was adapted from Meyer and Matyas 
[19, table 12.3] 

Definition 4.2. The Pe-security distance is defined by 



Remark . Depending on what one's object is (the key or the message) , the 
Pe-security distance (for the N-ary case) can be based on Pe m (K/E L ) or 
on Pe (M/E L ) . From the definition it follows that the Pe-SD depends on 
the model "m" used (including the source) and the desirable value of 
Pe "y" . The average performance of the Pe-SD is natural and clear. 

Corollary 4.2. The Pe-security distance includes the original unicity 
distance in a random cipher model as a special case. 

Proof. After substitution of 



L ( y ) = MIN {L ejR + |Pe (K/E L ) < y] , 



where 



m is the actual cipher modeL and 
Y is a value of Pe. 



□ 



Pe„„(K/E L ) = 




and 



v = 



\K\ - 1 




51 1 

H (M) 

with R = log |M| . (1 - ), one easily obtains 

log | M j 

MIN {L € K + |L > lo ? 1 K I }, 
L R 

which is the original UD in an RC-model. B 

For the SSC-model with redundancy R the Pe-SD characteristics are 
given in figure 4.5 for different values of y- Note that Pe at UD is 
almost constant! in conformity with the predictions from the RC-model. 

If determining L m (Y) in a direct manner is quite involved one can make 
use of the lower bounds given in the previous sections. 




Figure 4.5. The Pe-SD characteristics for an SSC using a binary memory- 
less source with redundancy R. The dotted line represents 
Pe at UD. 



512 



Example 4.6. For a PC-model using a discrete memoryless source with 
a priori probabilities p and q we have for the Bhatta- 
charyya coefficient 



L pf ,( Y ) > MIN { L e 3R + 1 h . (1 - /l - (4pq) L ) < y}, 
L 



PC 

from which it is easily found that 



L fvl > 109 U - U-2y) 2 ] 
L PC^' i log(4pq) 

The Pe-SD can be applied in the reverse direction too, i.e. for a 
given L the corresponding expected value of y can be found. Using the 
same arguments lower bounds on Pe can be considered to determine y . 

Example 4.7. Again, consider an SSC using a discrete memoryless source 
with p=0 . 7 and L=7 [2, example 7.2]. Jurgensen and Matthews stated 
that this system is highly insecure even though H(K/E 7 ) » 0.44 is fair- 
ly large. Since H (K/E L ) itself defines an upper bound on Pe (K/E ), one 
must make use of Fano's inequality H(K/E L ) < H(Pe) + Pe.log(N-l). From 
N=2 and H(K/E 7 ) « 0.44 it is found that y ^0.09. Therefore we may 
conclude that the system for the given source is indeed insecure. 

□ 

It is illustrated by the example why the key equivocation itself, 
judged as measure of theoretical security, behaves poorly: it is an 
upper bound and usually only tight for large L. Although the key equi- 
vocation may be a poor measure of security in many cases, it certain- 
ly does not degrade the use of Shannon' s information measure in crypt- 
analysis, The strength of this measure can be explained by the natural 
interpretation and accordingly by the convenient way of manipulating 
between different pd's. For example, this has been demonstrated by Lu 
[8]. 

References 

[1] C.E. Shannon, Communication theory of secrecy systems, Bell Syst. 
Tech. J, 28, pp. 656-715, (1948). 

[2] H. Jurgensen and D.E. Matthews, Some results cn the information 
theoretic analysis of cryptosystems , Proc . of CRYPTO' 83, Santa 
Barbara, California, August 1983, pp. 303-356. 

[3] M.E. Hellman, An extension of the Shannon Theory Approach to 

Cryptography, IEEE Trans. Inform. Theory IT-23, pp. 289-294 (1977) 



513 



[4] R. Blom, Bounds on Key Equivocation for Simple Substitution 
Ciphers, IEEE Trans. Inform. Theory IT-25, pp. 8-18 (1979). 

[5] R. Blom, An Upper Bound on the Key Equivocation for Pure Ciphers, 
IEEE Trans. Inform. Theory IT-30, pp. 82-84 (1984). 

[6] J.G. Dunham, Bounds on Message Equivocation for Simple Substitu- 
tion Ciphers, IEEE Trans. Inform. Theory IT-26, pp. 522-527 

(1980) . 

[7] A. Sgarro, Error Probabilities for Simple Substitution Ciphers, 
IEEE Trans. Inform. Theory IT-29, pp. 190-198 (1983). 

[8] S.C. Lu, The Existence of Good Cryptosystems for Key Rates Grea- 
ter than the Message Redundancy, IEEE Trans. Inform. Theory IT-25, 
pp. 475-477 (1979) . 

[9] L. Kanal, Patterns in pattern recognition: 1968-1974, IEEE Trans. 
Inform. Theory IT-20, pp. 697-722 (1974) . 

[10] C.H. Chen, Statistical pattern recognition, Hayden Book Co., 
Rochelle Park, New Jersey (1973) . 

[ll] I. Csiszar, Information-type measures of difference of probabili- 
ty distributions and indirect observations, Stud. Sci. Math. 
Hungary. 2, pp, 299-318 (1967) . 

[12] D.E. Boekee and J. van Tilburg, Bounds on the Bayesian Error Pro- 
bability using Concave Functions, to appear. 

[13] D.E. Boekee and J.C. Ruitenbeek, A Class of Lower Bounds on the 

Bayesian Probabilitv of Error, Information Sciences 25, pp. 21-35, 

(1981) . 

[14] D.E. Boekee and J.C. A. van der Lubbe , Some Aspects of Error 

Bounds in Feature Selection, Pattern recognition, Vol. 11, pp. 
353-360 (1979) . 

[l5] T. Ito, Approximate Error Bounds in Pattern Recognition, Machine 
Intelligence, Vol. 7, pp. 369-376, Edinburgh Univ. Press (1972). 

[16] R. Blom, On Pure Ciphers, Internal. Rep. LiTH-ISY-I-0 286 , 
Linkoping University, Sweden (1979). 

[17] V.A. Kovalevsky, On the Criteria for the Information Content of 
a System of Features, In: Image Pattern Recognition, pp. 67-90, 
(1980) . 

[18] J. van Tilburg, Decisions and Selections based on the Bayesian 

Error Probability with Shannon Information, Certainty and f-diver- 
gence, Thesis, Delft Univ. of Techn. (1984, in Dutch) . 

[19] C.H. Meyer and S.M. Matyas, Cryptography: a new dimension in com- 
puter data security, Wiley, NY (1982). 



A cbosen text attack on the RSA cryptosystem 
and some discrete logarithm schemes 

Y. Desmedt 

Aangesteld Navorser NFWO 
Katholieke Universiteit Leuven 
Laboratorium ESAT 
B-3030 Heverlee, Belgium 

A. M. Odlyzko 

AT&T Bell Laboratories 
Murray Hill, NJ 07974, USA 

ABSTRACT 

A new attack on the RSA cryptosystem is presented. This attack assumes less than previous 
chosen ciphertext attacks, since the cryptanalyst has to obtain the plaintext versions of some 
carefully chosen ciphertexts only once, and can then proceed to decrypt further ciphertexts 
without further recourse to the authorized user's decrypting facility. This attack is considerably 
more efficient than the best algorithms that are known for factoring the public modulus. The 
same idea can also be used to develop an attack on the three-pass system of transmitting 
information using exponentiation in a finite field. 

1. Introduction 

The RSA cryptosystem [13] is perhaps the most famous public key cryptosystem and, 
together with the Diffie-Hellman key exchange scheme [6], is one of the most important public 
key systems. It is often thought that breaking the RSA system is as hard as factoring the public 
modulus n used in the system, but this has never been proved. The attack by Simmons and 
Norris [14] involving repeated encryptions has been shown to be unlikely to succeed if the primes 
dividing the modulus n are chosen carefully [12]. On the other hand, it has been pointed out 
that there are ways to employ the RSA system that can be cryptanalyzed without factoring n. 
For example, Knuth's proposal to use a small encryption exponent (to speed up operation) was 
shown to be unsafe when the same message is being sent to several destinations simultaneously 
[1] (see also [4; pp. 57-58] and [7]). 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 516-522, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



517 



Another attack on some particular ways to employ the RSA system is due to Davida [3] (see 
also [5]), and our result is similar to it and can be considered as a generalization of it. In that 
attack, suppose that n is the public modulus of user A and E the public encryption exponent. 
Suppose that the cryptanalyst intercepts the ciphertext c = tn E (mod n), and wishes to recover 
the plaintext m . He chooses a random integer x and forms 

c' = c x E (mod n) . 

If he can now get user A to decrypt c' (for example, if A uses the pair (E ,n) for signatures and 
is willing to sign challenge messages, or else if A discards decrypted messages that appear 
meaningless, and the cryptanalyst can get access to these discards), then he obtains 

(c') D = c D x = m x (mod n) , 

and can recover m. Thus the cryptanalyst can decipher any single ciphertext at the cost of using 
A 's decryption mechanism once. 

In this note we present a slightly different attack. As in the Davida-style attacks, it requires 
that user A decrypt a certain number of chosen ciphertexts and make the decrypted versions 
available to the cryptanalyst. (We are assuming here for simplicity that user A's public key 
(£,n) is used to send private information to him. A similar procedure applies if these keys are 
used for authentication, in which case a chosen plaintext attack is used.) The differences 
between our scheme and Davida's is that once the decrypted plaintexts of the chosen ciphertexts 
are obtained, no further decryptions by A are needed to read individual messages. More 
precisely, let L — Lin) denote any quantity that satisfies [11] 

L - exp((l+o(D) ((log n) (log log n)) U2 ) as n — ♦ oo . 

Then, if the cryptanalyst succeeds in obtaining decrypted versions of I 1 ' 2 chosen ciphertexts, he 
can decipher any specific ciphertext in L 1/2 bit operations on his own computer. (It is possible to 
decrease the number of operations required to decrypt individual ciphertexts at the cost of 
increasing the number of uses of A 's decryption facility, and vice versa.) The importance of this 
result is that the best currently known algorithms for factoring integers of the same size as n 
require L bit operations [2,8,9]. (The memory required is O 12 bits for our attack, although it 
can be a very slow memory, such as a tape. Some factoring algorithms require negligible 
memory, while others also require L l/1 .) Therefore our attack on the RSA cryptosystem, 
although based on very special assumptions, appears to be the most general one that has been 
proposed so far and is substantially faster than factoring n. 



518 



Our basic assumptions are not completely unrealistic. It is easy to imagine situations where 
decryptions that are not intelligible might not be classified and would be thrown away (either by 
poorly trained secretaries or by software programs) in a form where they could be intercepted by 
the cryptanalyst. Also, one can imagine situations in which repairmen servicing either the 
decryption "black box" or nearby pieces of equipment could obtain the desired decryptions. 
Another scenario where our attack might apply arises when a whole group of users uses the same 
decryption key, which is not accessible to them. By using the decryption "black box," any one 
user can accumulate data required by our attack which would let him break the scheme even 
after he was denied access to the "black box" if the key was not changed. (The reader could 
remark that group members can sign all the messages they wish and use them later on, so this 
method is not necessary. However, not all fraudulent messages that the forgers might wish to 
use can be predicted beforehand.) 

Our attack can also be applied to the well-known "three-pass" system for transmitting 
information using exponentiation in a finite field [8; pp. 345-346]. In it, user A wishes to send 
message m to user B, where m is regarded as belonging to some fixed and known finite field 
GF(q). User A selects an integer a such that (a, q-\) - 1 and transmits m" to B. User B 
then selects an integer b with (b, q-l) — 1 and sends m ab to A. Next, A computes a' such that 
aa' = 1 (mod q— 1), and sends m aba - m b to B, who now obtains m from m — m bb , where 
bb' = I (mod q — \). Should user B always use the same integer b, our attack could again be 
applied. In it the cryptanalyst would send i 1/2 messages u to B, (where 
L — exp((l+o(l)) ((log q) (log log q)) l/2 ) this time), would receive u b for each one of them, 
and would then be able to decipher any messages that might be sent to B using this protocol in 
L 111 bit operations on his own computer. The same kind of attack applies if user A always uses 
the same integer a. (This kind of attack could also be applied to the basic Diffie-Hellman key 
distribution scheme, but in that context is less realistic.) 

The basic lesson of our attack is that one has to be very careful in using the RSA 
cryptosystem and discrete exponentiation schemes to keep them secure. If the attacks that are 
outlined above have to be guarded against, moduli somewhat larger than those currently being 
recommended are likely to be required. However, as we note at the end of the next section, in 
practical situations the necessary increase in the modulus size is likely to be quite small. 

2. The attack 

Our attack is a modification of an algorithm used for computing discrete logarithms in fields 
GF(p) for p a prime [2]. Many of the number theoretic estimates that we utilize can be found 
there and in [11]. 



519 



Let a > 0 be fixed, and let k - [ n ' /2 J- ' n tne fi rst sta 8 e we utilize user A's decrypting 
facility to obtain x D (mod n) for all x e S — U S 2 , where 

5 1 — [p: p L a , p a prime} , 

(2.1) 

5 2 - {Jfc+l,&+2 k + . 



In order to avoid detection by any simple screening program, we choose a random y x for each x 
and obtain ^xy x j = x D y x (mod n) from the decrypting algorithm, which then allows us to 
obtain x D (mod n). 

Once we have obtained x D (mod n) for all x e S, we can proceed to decrypt individual 
ciphertexts c. (At this stage we will not need to use the decrypting facility any more.) The 
basic idea is to find a representation 

c = y E n x "' ( mod n) (2 2) 

XtS 

for some integers a x and y, since then 

c D =y n I* 0 )"" (mod«) , 

where y and all the x D are known to the cryptanalyst as explained above. 

To obtain the representation (2.2), we proceed in two stages. In the first stage we find a y 
and primes q t < L 2 " such that 

c = y E f[ <7, (mod • ( 2 - 3 > 

To obtain the representation (2.3), we choose a random y, compute 

b = cy~ E (mod n) , 1 < b < « , 



and check whether 6 factors into primes q ^ L la . We expect to test approximately L 
values of y before a factorization of c of the form (2.2) is found [2,11], and for each y, it takes 
/, o(1) bit operations to test whether such a factorization exists by using Lenstra's elliptic curve 
factorization algorithm [9]. Therefore this stage is expected to take time L 1/(4a) + o(1) - L ulia) . 



520 



Once a factorization of the form (2.3) is obtained, we proceed to the second stage, in which 
we represent each of the at most 0(log n) — L° w primes q — <?,- < I 2 " in the form 

q = n x"' (mod n) , (2.4) 

where only 0(log n) of the u x are non-zero (possibly negative). Once such a representation is 
obtained for each of the q's, we quickly obtain (2.2). 

To see how to represent a prime q < i 2 " in the form (2.4), let 

m - [n l ' 2 q- l \ 

and determine those integers among 

m + l,w+2, m + (2.5) 

that are divisible solely by primes p < L a . There will be £*~ 1/(4<Jt) suc h integers, and finding 
them will take L? bit operations if we employ the Lenstra algorithm, for example. 

We next consider two cases. If a > 1/2, we take /S - l/(4a) + 5 for any S > 0. We then 
have L s integers m+j , 1 < j < L B , all of whose prime factors are < L a . For each such 
integer and any /, 1 < i < £i/<*"\ ( no t e that l/(4a) < a) 

q(m+j) (k+i) = r (mod n) , (2.6) 

where t < n ul+oil) and k was defined at the beginning of this section. Therefore, if the r's 
factor like random integers of the same size, we will find L s f's that factor into primes < L a , 
and any single one will give us a factorization of the form (2.4), which gives the desired result. 
Since testing of each t takes £ o(1J bit operations, this stage requires L^ +o(1) bit operations as 
n — », and since this holds for all d > 0, we conclude that for a > Yi, this stage can be carried 
out in L l ^ M bit operations. 

It remains to consider the case a < 1/2. Here we take f) — l/(2a) — a + S. We expect to 
find L^~ m4a) - L l ^~" + « values of m+j, 1 < j < L 9 , which factor into primes < L", and it 
takes £," +o(1) - L B bit operations to find them. For each one, and for 1 < i < L a , we test 
whether the t defined by (2.6) is composed of primes < L". We expect to find L s of them. 
Letting 5 — 0, we discover that this case takes i}l (2a ^~ a bit operations. 



521 



We thus conclude that if the cryptanalyst can obtain decryptions of L a chosen ciphertexts he 
will be able to decrypt any individual ciphertext in £ 1/(4a) bit operations for a > 1/2, and in 
I 1/C2 " )_a bit operations for 0 < a < 1/2. For a - 1/2, both stages require L U1 steps. Since the 
modulus n can be factored in L bit operations, our attack has an asymptotically smaller running 
time precisely for 

-1 + \ZJ 

— —t 2 ^ ■ - 0.366... < a < 1 . 



In practice, our L 1 ' attack does not offer too much of a speed improvement over the L 
attacks that factor the modulus. The main reason is that for moduli of practical size (500 to 
1000 binary bits) L [/2 is quite small, and there is no known way to test whether an integer of 
size about n (or even n 1 '' 2 ) is divisible only by primes < L^ 1 that is much more efficient than 
trial division. The Lenstra algorithm can be avoided by utilizing somewhat more involved, 
although probably more efficient methods (cf. [2]), but even they probably would not offer too 
much of a speedup. 



522 



References 

1. M. Blum, A potential danger with low-exponent modular encryption schemes, to be 
published. 

2. D. Coppersmith, A. M. Odlyzko, and R. Schroeppel, Discrete logarithms in GF(p), 
Algorithmica, to appear. 

3. G. Davida, Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem, 
Tech. Rept. TR-CS-82-2, Dept. of Electrical Engineering and Computer Science, Univ. of 
Wisconsin, Milwaukee, Wisconsin, Oct. 1982. 

4. R. A. DeMillo, G. I. Davida, D. P. Dobkin, M. A. Harrison, and R. J. Lipton, Applied 
Cryptology, Cryptographic Protocols, and Computer Security Models, Proc. Symp. Appl. 
Math. #29, Am. Math. Soc. 1983. 

5. D. E. Denning, Digital signatures with RSA and other public-key cryptosystems, Comm. 
ACM 27 (1984), 388-392. 

6. W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Inform. 
Theory, IT-22 (1976), 644-654. 

7. J. Hastad, On using RSA with low exponent in a public key network, to be published. 

8. A. G. Konheim, Cryptography: A Primer, Wiley, 1981. 

9. H. W. Lenstra, Jr., manuscript in preparation. 

10. A. M. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, 
Proc. Eurocrypt '84, to appear. 

11. C. Pomerance, Analysis and comparison of some integer factoring algorithms, pp. 89-139 in 
Computational Methods in Number Theory: Part 1, H. W. Lenstra, Jr., and R. Tijdeman, 
eds., Math. Centre Tract 154, Math. Centre Amsterdam, 1982. 

12. R. L. Rivest, Remarks on a proposed cryptanalytic attack on the M.l.T. public-key 
cryptosystem, Cryptologia 2 (1978), 62-65. 

13. R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and 
public-key cryptosystems, Comm. ACM 21 (1978), 120-126. 

14. G. T. Simmons and J. N. Norris, Preliminary comments on the M.l.T. public-key 
cryptosystem, Cryptologia I (1977), 406-414. 



ON THE DESIGN OF S-BOXES 



A. F. Webster and S. E. Tavares 
Department of Electrical Engineering 
Queen's University 
Kingston, Ont. 
Canada 

The ideas of completeness and the avalanche effect were first introduced 
by Kam and Davida [1] and Feistel [2], respectively. If a cryptographic trans- 
formation is complete, then each ciphertext bit must depend on all of the plaintext 
bits. Thus, if it were possible to find the simplest Boolean expression for each 
ciphertext bit in terms of the plaintext bits, each of those expressions would have 
to contain all of the plaintext bits if the function was complete. Alternatively, if 
there is at least one pair of n-bit plaintext vectors X and Xj that differ only in 
bit i, and f(X) and f(X.) differ at least in bit j for all 

{(i,j) | 1 < i,j < n> 

then the function f must be complete. 

For a given transformation to exhibit the avalanche effect, an average 

of one half of the output bits should change whenever a single input bit is 

complemented. In order to determine whether a given m x n (m input bits and 

n output bits) function f satisfies this requirement, the 2 m plaintext vectors must 
m - 1 

be divided into 2 pairs, X and X- , such that X and X. differ only in bit i. 

i i 

m~ 1 

Then the 2 exclusive-or sums 

Vj = f(X) © f(Xj) 

H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 523-534, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



524 



must be calculated. These exclusive-or sums will be referred to as avalanche 
vectors, each of which contains n bits, or avalanche variables. 

If this procedure is repeated for all i such that 1 < i < m, and one half 
of the avalanche variables are equal to 1 for each i, then the function f has a 
good avalanche effect. Of course this method can be pursued only if m is fairly 
small; otherwise, the number of plaintext vectors becomes too large. If that is 
the case then the best that can be done is to take a random sample of plaintext 
vectors X, and for each value of i calculate all the avalanche vectors Vj. If 
approximately one half the resulting avalanche variables are equal to 1 for all 
values of i, then we can conclude that the function has a good avalanche effect. 

THE STRICT AVALANCHE CRITERION AND THE INDEPENDENCE OF 
AVALANCHE VARIABLES 

The concepts of completeness and the avalanche effect can be combined 
to define a new property which we shall call the strict avalanche criterion. If a 
cryptographic function is to satisfy the strict avalanche criterion, then each 
output bit should change with a probability of one half whenever a single input 
bit is complemented. A more precise definition of the criterion is as follows. 
Consider X and Xj, two n-bit, binary plaintext vectors, such that X and Xj differ 
only in bit i, 1 < i < n. Let 

V. = Y © Y. 
i i 

where Y = f(X), Y. = f(X.) and f is the cryptographic transformation under 
consideration. If f is to meet the strict avalanche criterion, the probability that 
each bit in Vj is equal to 1 should be one half over the set of all possible plaintext 
vectors X and Xj . This should be true for all values of i. Again, unless n is small 
it would be an immense task to follow this procedure for all possible vector pairs 
X and X.. 



525 



An alternate method which could be used to ascertain whether a given 
cryptographic transformation, f, satisfies the strict avalanche criterion would be 
to construct a dependence matrix. First an n-bit, random plaintext vector X is 
generated and its corresponding m-bit ciphertext, Y = f(X), is obtained (n and 
m will be equal if f is an invertible transformation and there is no data expansion). 
Then the set of n vectors 

(X 1< X 2 V 
is formed such that X and X^ differ only in bit j. The ciphertext vectors 

are then found where □ f(X.), and they are used to obtain the set of m-bit 
binary avalanche vectors 

(v r v 2 V 

such that Vj = Y © V. . This procedure is illustrated in Figure 1. 

The value of bit i in V. (either a 1 or a 0) is added to element a. . in 

J hi 

the m x n dependence matrix A. This procedure is repeated for a large number, 
r, of randomly generated plaintext vectors X, and each element in A is divided 
by r. Then each a. . gives the strength of the relationship between plaintext bit 
j and ciphertext bit i. A value of 1 indicates that whenever bit j is complemented 
in the plaintext then the ciphertext bit i will also change its value, while a value 
of 0 indicates that the ciphertext bit is completely independent of the plaintext 
bit. If all elements in the matrix have a nonzero value then the cryptographic 
transformation is complete, and if it is to satisfy the strict avalanche criterion, 
every element must have a value close to one half. Therefore, completeness is a 
necessary condition if the strict avalanche criterion is to be met. 



526 



ym 



xj xl 



xn 




xl 












* 




Yji-n 




'j 1 



V;1 V, 



Figure 1. Part of the method for testing to see if a transformation satisfies 

the strict avalanche criterion: Input bit j is complemented giving 

V.. Each bit i, 1 < i < m, in V. is added to element a. . in the 
J ) i/J 

dependence matrix. 

A second property which would seem desirable for any cryptographic 
transformation is that, for a given set of avalanche vectors generated by the 
complementing of a single plaintext bit, all the avalanche variables should be 
pairwise independent. In order to measure the degree of independence between 
a pair of avalanche variables, we can calculate their correlation coefficient. For 
two variables A and B 



cov{A, B} 

p{A, B} = - 

a{A} o{B} 



[3, p. 373] 



527 

where 

p{A, B} □ correlation coefficient of A and B 
cov{A, B} □ covariance of A and B 
= E{AB} - E{A> x E{B} 
eHA} = E{A 2 } - (E{A}) 2 
For the case of binary variables, it can be shown that a correlation coefficient 
of 0 means that the variables are independent. In addition, the variables will al- 
ways be identical if the correlation coefficient equals 1, and a value of -1 means 
that they will always be complements of one another [4] . 

If either the strict avalanche criterion or the avalanche variable in- 
dependence requirement is not satisfied, then a cryptanalyst can gain some 
information about the statistical properties of the function, which he could 
conceivably use to his advantage in an attack on the system. 

PERFECT S-BOXES 

Now that these two new criteria have been presented, it would seem 
desirable to discover how to produce cryptographic transformations which satisfy 
both conditions. One additional condition that will be imposed on such transf- 
ormations is that they be invertible. This means that there must be a one-to-one 
correspondence between plaintext and ciphertext vectors. 

If there are n input/output bits for a given function, there are (2")! 

possible invertible transformations. This means that there will be approximately 
13 

2 x 10 such functions for a four-bit system. Therefore, the search will be limited 
to 4 x 4 (four input/four output bit) substitution boxes (S-boxes). 



528 



The initial step is to find all the potentially invertible 4x1 functions that 
satisfy the strict avalanche criterion, which will be combined four at a time to 
produce 4x4 substitution boxes. A potentially invertible function returns a value 
of 1 for one half of the possible input vectors and a value of 0 for the other half. 
It is a necessary, but not sufficient, condition if the S-boxes formed from the 
single output bit functions are to be invertible. The 12,870 potentially invertible, 
4 x 1 functions were tested, and it was found that while 12,618 of them were 
complete, only 1368 satisfied the strict avalanche criterion [4]. 

These 1368 functions can be divided into 9 equivalence classes or "fam- 
ilies". Each family is closed under the following operations: 

1. Complementing one or more of the input bits 

2. Permuting the input bits 

3. Complementing the output bit 

Potential invertibility and adherence to the strict avalanche criterion are pre- 
served over these operations. 

The simplest procedure to follow in constructing the substitution boxes 
would be to randomly select potentially invertible, single output bit functions from 
the list of those that satisfy the strict avalanche criterion. First, these substi- 
tution boxes are tested to see if they are invertible. If they satisfy that 
requirement, they are then examined to see if, when each input bit is comple- 
mented, the resulting avalanche variables are pairwise independent. An S-box that 
displays both of these properties will be referred to as a "perfect" substitution 
box . 

When the method of random selection of single output bit functions was 

followed, the probability of the resulting 4x4 S-boxes being invertible was only 

-3 5 
1.2 x 10 , and only one S-box in 7.1 » 10 was perfect [4], During this search. 



529 



the families of single output bit functions which formed perfect S-boxes were 
noted. In an attempt to reduce the amount of effort required to produce perfect 
S-boxes, the families from which the 4x1 functions were selected were fixed so 
that only combinations which had produced perfect S-boxes in the initial search 
were used. This increased the frequency of occurence of perfect S-boxes by about 
a factor of one thousand. Several other approaches were tried which involved 
relaxing one or both of the strict avalanche criterion and the avalanche variable 
independence requirement, but none proved to be as good as choosing the single 
output bit functions from fixed family combinations. 

In the process of building these S-boxes, it was discovered that if an 
S-box is complete, or even perfect, its inverse function may not be complete. 
This could become important if these inverse functions are used in the decryption 
process, for it would be desirable for any changes in the ciphertext to affect all 
bits in the plaintext in a random fashion, especially if there is not much redun- 
dancy in the original plaintext. Complete cryptographic transformations with in- 
verses which are complete are described as being two-way complete, and if the 
inverse is not complete the transformation is said to be only one-way complete. 

A COMPLETE S-P NETWORK 

Kam and Davida [1] presented a method whereby an entire S-P network 
could be guaranteed to be complete if all the substitution boxes used in the 
procedure were complete. This entailed using specially designed bit permutations 
between the substitution layers. The networks can be of any size as long as 

n = k 9 

where 

n = the number of input/output bits for the entire network 



530 

k = the number of input/output bits for each S-box 
g = the number of substitution-permutation stages 

Since completeness is a prerequisite if the strict avalanche criterion is 
to be met, we thought that perhaps by using perfect S-boxes in the system we 
could come up with a "perfect" system. A complete S-P network with n = 64, k 
= 4 and g □ 3 was implemented. Unfortunately, it turned out that each output 
bit changed with a probability of only one eighth when a single input bit was 
complemented. In fact, it can be shown that the probability of an output bit 
changing will always be 2 ^. This was termed avalanche damping. The same test 
was run with complete S-boxes of the type that Kam and Davida suggested in their 
paper instead of perfect S-boxes. The mean value of elements in the dependence 
matrix was slightly higher at 0.19, but their variance was over one hundred times 
greater than that calculated when the perfect S-boxes were used [4]. In fact, 
some elements had values as low as 0.01, which represents a significant short- 
coming in the system. 

This test was repeated for S-P networks with perfect S-boxes and random 
bit permutations. A plot of the mean and variance of the elements in the 
dependence matrix is shown in Figure 2. After three rounds, the performance 
is poorer than that for the complete S-P network, but after about 12 rounds the 
strict avalanche criterion is satisfied. This result suggests that with the addition 
of several S-P stages with complete or perfect S-boxes and random bit permu- 
tations, a complete S-P network could still be guaranteed to be complete and would 
probably satisfy the strict avalanche criterion. 



531 




I I I I I L 

0 3 6 9 12 *: 

S-P stages 



Figure 2. Mean and variance of elements in the dependence matrix for an 
S-P network vs. number of substitution-permutation stages: All 
the substitution boxes in this network were perfect, and the bit 
permutations were generated randomly. It is evident that the strict 
avalanche criterion is satisfied after approximately 12 S-P stages. 

DES 



The Data Encryption Standard (DES) has been a federal standard in the 
United States since 1977. DES employs substitutions and permutations, but the 
algorithm is much more complex than the one for the complete S-P network [5] . 



It can be shown that the DES algorithm is invertible [3, p. 240]. Since 
the dependence matrix could, in theory, be different for every key, we cannot 
state that DES is always a "perfect" system. However, the results shown in Figure 



532 

3 for the key (FF . . . FF) indicate that in that case the strict avalanche criterion 

is satisfied. In addition, in a sample of 30 correlation coefficients picked at 

-2 

random, the highest absolute value found was 4.88 x 10 . This suggests that 
there is very little correlation between avalanche variables. Similar results were 
obtained using several other key values. Thus, we can conclude that DES is a 
"perfect" encryption algorithm, at least for the key values that were tested. 

Since the S-boxes are the only nonlinear portion of the DES algorithm, 
their characteristics have a significant effect on the strength of the entire system. 
The S-boxes are not invertible, but due to the way in which they are employed 
in the algorithm, this does not pose a problem for decryption. Nor do they satisfy 
the strict avalanche criterion. For the entire set of 8 S-boxes, the probability 
that a particular output bit will change when a single input bit is complemented 
ranges from 0.43 to 0.93. 

The correlation coefficients between pairs of avalanche variables for the 
DES S-boxes were also calculated. While most of them had absolute values of less 
than 0.5, it was found that when input bit 1 (the least significant bit in the input) 
was complemented, the correlation coefficients between bits 1 and 2 and between 
bits 3 and 4 in the output of were equal to -1. This is equivalent to the dis- 
covery made by Hellman et al. [6] that the exclusive-or sums of the output bits, 
yl © y2 and y3 © y4, of S are complemented whenever input bit xl changes its 
value. It can also be shown that both of these results can be derived from another 
one of their findings 

S 4 CX© 000001) = (2.1)(3,4) S 4 (X)0(x1, xl , xl , xl) 

where (2,1)(3,4) means that the first and second bits as well as the third and 
fourth bits of the following vector are interchanged. 



533 




0 4 8 12 16 

Round 



Figure 3. Mean and variance of DES dependence matrix vs. number of en- 
cryption rounds: These values of mean and variance are only for 
elements in one quarter of the dependence matrix, but Meyer [7] 
shows that these results will propagate through the rest of the 
matrix within two rounds. The strict avalanche criterion is satis- 
fied after four rounds for this portion of the matrix; therefore, 
it will take six rounds before the full system will meet the 
requirement. 



534 



ACKNOWLEDGEMENTS 

The authors would like to acknowledge the financial support provided by 
the Natural Sciences and Engineering Research Council. 



REFERENCES 



[1] Kam, J.B., and Davida, G.I.: Structured Design of Substitution- 
Permutation Encryption Networks. IEEE Transactions on Computers , Vol- 
28, No. 10 , 747 (1979) 

[2] Feistel, H.: Cryptography and Computer Privacy. Scientific American , Vol . 
228 , No. 5 , 15 (1973) ' 

[3] Konheim, A.G.: Cryptography: a Primer . John Wiley and Sons, New York 
(1981) " 

[4] Webster, A.F.: Plaintext/Ciphertext Bit Dependencies in Cryptographic 
Algorithms . M.Sc. thesis, Queen's University at Kingston (1985) 

[5] National Bureau of Standards: Data Encryption Standard. FIPS Publication 
46, Washington, D.C. (1977) 

[6] Hellman, M.E., Merkle, R . , Schroeppel, R. , Washington, L., Diffie, W. , 
Pohlig, S., and Schweitzer, P.: Results of an Initial Attempt to Cryptanalyze 
the NBS Data Encry ptio n Standard . SEL 76-042, Stanford University (1976) 

[7] Meyer, C.H.: Ciphertext/Plaintext and Ciphertext/Key Dependence vs 
Number of Rounds for the Data Encryption Standard. 1978 National Computer 
Conference , p. 1119. AFIPS Press, Montvale, New Jersey (1978) 



THE REAL REASON FOR RIVESTS PHENOMENON 



Don Coppersmith 
IBM Research 
Yorktown Heights, NY 10598 



Burt Kaliski Ronald Rivest and Alan Sherman [Crypto 85] noticed a short cycle in their experiments with weak 
keys in DES. We explain this in terms of filed points (messages which are left unchanged by encipherment). We 
predict similar short cycles using serai-weak keys. We indicate how Rivest si ats experimental setup can be used to 
show that the group of permutations of message space, generated by DES encryptions, is a large group. 

Notation: Let EgX denote the ciphertext resulting from DES-encrypting the cleanext X under the key K. Similarly 
let DfX represent decryption. Let 0 denote the key of all 0's, and 1 the key of ail l's. Let the input to DES (the 
cleartext) be broken into halves A/q, M±. On round /, 1 < i < 16, we compute some function / of the 48 key bits Kj 
and the 32 message bits Mj, add this 32-bit quantity to Mj_ x bitwise, and obtain M i+x - So 
M j+1 - M j _ l + f(Kj, Mj), and M j _ l - M i+l + f(K t , M-j. The cipbertext is the pair Af, 7 , M l6 . (Notice the order of 
indices, which is correct.) 

The keys 0 and 1 (and two others) are known to be weak keys [Davies, Crypto 82] in the sense that the 48 key 

bits Kj entering into the computation on round i are the same for each round i: Kj — Kj. One consequence of this is 

2 

that Eq is an involution: EqX — DqX, so that EqX — X. 

32 

A new consequence of being a weak key is that Eq has 2 fixed points, i.e. messages Y for which EqY = Y. In- 

32 

deed, for some message Y, suppose that M% = Mg. (There are 2 such values of Y.) Then 
Af 7 - M g + f{K s , A/ 8 ) - A/ 8 + /(Kg, Mg) - A/ 10 

Continuing, we findAf 6 » Af u , M x = A/ 16 , M 0 - M xl , and Y - (M a , M x ) - (Mn, Af 15 ) - EqY. In fact this is the 
only way a fixed point can arise for any weak key. 

Now pick a random starting message X, and alternately apply E 0 and £[. Continue until you return to the starting 

N 32 
point X: (£j£q) X « X. In Rivest el <zf s experiment, N turned out to be around 2 . Indeed, suppose that for some 

I <.N, {E^Eq^X — Y and Y is a fixed point of Eg. Then the next application of £^ leaves Y unchanged, so that 

Eq(EiE q )^X — Y. On the next application of E x , we find 

(£,£b) /+1 X=. E&^Eq/x* E x Y~ D x Y= D^E^E^X = E ([ ILE 1 E q y'~ 1 X. 

Continuing, for J < I, {E\Eq)^ +J X — £^(£ 1 £ , rj )' *X, and we are just retracing our steps. This is because both 
Eq and Ei are involutions. We continue until, for some J> I, (EiEq) 1+J X =■ Z and Z is another fixed point of Eq. 
(We could also find fixed points of £[.) We again end up retracing our steps, until we return to the starting value X. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 535-536, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



536 



Tbe cycle length N is approximately the number of trills we needed to find two fixed points (of either £^ or £j.) 
x these fixed points are plen 
merjt with Rivest et af s results. 



32 64 32 32 

Since these fixed points are plentiful (2 out of 2 , or 1 out of 2 ), the expected value of N is 2 , in close agree 



In a similar vein, suppose K is alternating 010101... or 101010... in each key half (a special case of the "semi- 

— 32 
weak keys [Davies]). Let Z denote the complement of Z. Then we find that E K - Dj?, there are 2 values yfor 

_ 

which EgY-* Y (namely those for which A/g m My); and for a random X we expect to find that E K X — X for 

tf=2 33 . 

Finally, for different starting values X ( , we expect to find different cycle lengths N t . Consider the subgroup G of 
the group of permutations on message space 5^64 generated by the DES encryptions E K , K e Z^. Each JV ; divides the 
size of G. Run either of the above experiments several times, finding different values N t corresponding to E\E Q or to 
Eg for one of tbe four alternating semiweak keys K. Each experiment takes a few days. Then the least common 
multiple km(N{, N 2 , ... , A;) divides the order of the group, and thus provides a lower bound. So the experiments, 
which were designed to detect a small group size (I (J I <2 70 ?) miaht be used to show a large group size 
(|G|>2 300 ?). 



537 



THE IMPORTANCE OF "GOOD" KEY SCHEDULING SCHEMES 
(HOW TO MAKE A SECURE DES* SCHEME WITH < 48 BIT KEYS?) 

Jean-Jacques Quisquater a , Yvo Desmedt b ' 1 and MarcDavio*' c 

a Philips Research. Laboratory Brussels, 
Avenue Van Becelaere, 2, B-1170 Brussels. Belgium; 

b Katholieke Universiteit Leuven, Laboratorium ESAT, 
KardLriaal Mercierlaan, 94, B-3030 Heverlee, Belgium; 

c Universite Catholique de Louvain, Batiment Maxwell, 
Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium. 



Abstract 

In DES the key scheduling scheme uses mainly shift registers. By modifying this key 
scheduling, conventional cryptosystems can be designed which are, e.g., strong against 
exhaustive key search attacks (without increasing the key size), or have public key like 
properties. Other effects obtainable by modifying the key scheduling and their importance 
are discussed. 



1. Introduction 

In this paper we come up with several ideas which are in contradiction with the 
common points of view in cryptography. So in the first idea (see Section 2) we will 
propose to reduce the key size of a cryptosystem to increase its security against exhaustive 
key search machines. This idea sounds crazy, but can be realized for some cryptographic 
encryption algorithms (e.g. DES) if some very small modifications are used. In the second 
idea we will come up with a conventional cryptosystem which has public key like properties 
(see Section 3). In Section 4, we will give examples of conventional cryptosystems for which 
outsiders can prove the existence of a trapdoor in the scheme but they cannot use this 
information to find the trapdoor. 

All previous ideas are realized by using new key scheduling schemes. 

2. Enforcing cryptosystems against a key exhaustive search 

DES [3j was criticized because the length of the key is only 56 bits. Several exhaustive 
key search machines were presented to break several modes of DES [5], [6], [7], [8]. and 
[9] Diffie and Hellman [7] proposed to use a larger key size to avoid exhaustive key search 
'NFWO aangesteld navorser, sponsored by the National Science Foundation of Belgium. 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 537-542, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



538 



K 




= key 



expansion 




key scheduling! ks 





totally 
infeasi ble to 
enumerate ! 




M 



encryption algorithm 



64 C 



ea 



des 



Figure 1: A schematic overview of DES. 



attacks. Yasaki [14] cites Hellman: "But the point we're making here is that a small key 
guarantees insecurity^ . In this section we will explain that in theory an algorithm which 
uses a short key, can be made very strong against exhaustive key search machines. To 
realize this in practice some restraints are to be taken into consideration. 

To explain the basic idea let us consider DES as an example. The time needed by an 
exhaustive key search machine to find the key is in worst cases proportional to: 



where, for DES. the size of the key space is 2 56 . As mentioned in Fig. 1: the time ft,, 
respectively t co , is the time for executing the key scheduling, respectively the encryption 
algorithm without the key scheduling. Remark that for many hardware modules DES we 
have t eo 3> tjt„. To avoid exhaustive key search attacks, several ideas can be used. The 
most known is to increase the key space (i.e. key size). Another is to slow down the 
algorithm (e.g. using more rounds in DES). This solution however reduces the practical 
use of the algorithm. The solution we present here, is to increase t*,, such that tjt 8 3> t ea - 
In Fig. 2, a DES-like algorithm is presented which is 16 times harder to break than DES 
with an exhaustive key search machine! The used key K is 56 bits long and a is some 
fixed public known 64 bit pattern. Remark that if tie key is held constant this DES-like 
algorithm has the same encryption and decryption speed as DES\ Hereto the so called 
"subkeys" are stored, and were calculated beforehand. Essential for its security is that 
the DES algorithms in the new key scheduling of the DES-like algorithm (see Fig. 2) are 
chained. It is evidently necessary that no trapdoor in DES would allow to shortcut this 
chaining. From now on we will assume that DES doesn't have the discussed trapdoor. 



max(tjt,, t eo ) x (size of the key space) 
(number of used processors ) 



539 



M 




Figure 2: A DES which, is 16 times harder to break with an exhaustive key search 
machine than DES. 



It is now trivial to propose other DES-like algorithms which use a similar key schedul- 
ing. E.g. one could use 16 times DES for the calculation of the next subkey, instead of 
one. This would slow down the key scheduling (and the exhaustive key search) with a 
total factor of 256. Evidently if last discussed scheme is used with a key K of only 48 
bits (the other 8 bits can be all zero), the security remains the same as for DES, from 
the point of view of exhaustive key search attacks. In theory one can increase the key 
scheduling time as much as we want, however in practice the users modify the key. Then 
the frequency of the modification of the key determines what an acceptable increase of 
the execution time of the key scheduling is. However one cannot reduce the key size too 
far. Indeed if the key is too short, one can precalculate ones and for a// the subkeys for all 
possible keys and store them. In this case exhaustive key search machines use the precal- 
culated subkeys instead of calculating the key scheduling. A similar improved technique 
is valid for a chosen text attack. Remark that the key scheduling scheme is in fact a key 
expansion, which is an important concept in modern cryptosystems [11]. 

Several other schemes can be used as key expansion instead of DES. E.g. one can use 
a modified RSA [13]. The key K of 56 bits is enlarged with zero's to an input for the RSA 
algorithm of 768 bits, e and n as in RSA are public, however here n is a prime number of 
769 bits. The 768 bit output of this RSA scheme is used as the 16 subkeys of 48 bits. 

The analysis done on more rounds in DES by the authors [4], is no longer valid for 
the DES-like algorithm, as a consequence of the harder cryptosystems. In other words 
the ideas presented here can also be used to make a cryptosystem harder against other 
attacks than the exhaustive key search. 



540 



M 




REG 
v 

one- 
way 



M 



REG 



one- 
way 







K 


> 


f 









Figure 3: Using a one-way key scheduling scheme in feedback. 

3. Using feedback and one-way functions 

At the end of the key scheduling scheme in the original DES, the original key reappears 
in the shift registers C and D. This can be considered as some feedback. Indeed in DES no 
extra register is necessary to store the used key, if the output of the key scheduling scheme 
is feedbacked. In the schemes we proposed in this paper, this extra register is necessary, 
in order to continue to use the same key. This is however not necessary! We can use a 
feedback at the end of the key scheduling. If sender and receiver remain synchronized 
and no transmitted bits are lost, the used keys are modified, but both use the correct key. 
Let us now discuss two cases a little more. In the first one. the key scheduling scheme 
itself uses a secret master key to calculate the actual "session"' key. Remark that the new 
session key has not to be transmitted! In the second case no extra master key is used. 
The key scheduling scheme uses only public known information (as in DES). In this case 
no real advantage seems to be obtained with this feedback. We will now explain that this 
impression is wrong. 

Suppose last discussed feedback key scheduling scheme is used. What happens if the 
used function ka (see Fig. 3. a) in the feedback is one-way? In that case the conventional 
cryptosystem acts partially as a public key system. We will explain this by an example. 
Suppose that a cryptosystem is located in some physical unsafe area. The security of the 
key is actually tamper free, but this can change at any time (e.g. a bank located in an 
unstable political regime). One wants to design a cryptosystem, such that if the key of the 
sender is stolen, the cryptanalyst cannot understand the sent messages. A first possibility 
is to use a public key system. Indeed the public key (of the receiver), which is used to 
protect the privacy of the messages, cannot be used to decipher. The second possibility 
is to use the one-way key scheduling scheme with feedback. Even if the key is stolen, 
it cannot help to decipher previous messages! Similar examples can easily be found for 
other areas, in space applications for instance. Applications of the same idea can be used 
to protect keys in non- tamper free areas, e.g. in chip cards. Indeed chip cards are more 



541 



secure than magnetic cards, nevertheless not necessary completely tamper free. Related 
to this example, a similar scheme was presented by Beker [1]. 

Several schemes can be used for this one-way function. DES is a good candidate for 
that. Some caution is necessary because only the so-called leader part of the feedback 
scheme is useful [10]: The cyclic part of the scheme is not very secure. 

Another idea is given at Fig. 3, b. It has the same properties as the one we discussed 
for the scheme of Fig. 3, a. Additionally the future is protected even if the key K is found 
by any practical method different from physically stealing the keys k t and k 2 - 

Intead of one-way functions oue can also use hard pseudo-random functions in the 
sense of Blum and Micali [2]. 

4. Trapdoors in key scheduling schemes 

As we yet discussed in Section 2 trapdoors in the key scheduling are possible. To 
obtain the improvements, chaining DES must be free of a shortcut solution. In this 
section more trapdoors in key scheduling schemes will be discussed. 

We discussed at the end of Section 2 the use of a modified RSA scheme for key 
scheduling. We used however there a prime number ra, instead of the product of two 
primes. Suppose however that the user of the cryptosystem verifies if n is indeed prime, 
and suppose it isn't. He knows for sure that it can be that the one who designed the 
cryptosystem has deliberately chosen n as a product of primes kept secret by the designer. 
Using the Chinese remainder theorem this allows the designer to speed up RSA [12] and 
so the key scheduling and his exhaustive key search machine. Remark that the user 
of the cryptosystem can indeed verify the possibility of a trapdoor but cannot use this 
knowledge! Evidently if n is large enough, it can be the product of several primes, giving 
more advantage at the designer. We propose to use the expression "trapdoor algorithms" 
for this kind of algorithms, i.e. for the algorithms where the computation complexity 
depends on the knowledge of some information. 

A trapdoor can also be build in the feedback one-way key scheduling system. Indeed 
instead of using a one-way function, a trapdoor one-way function can be used. This 
allow the designer to reverse the feedback and decrypt previous messages, while this is 
impossible (hard) for outsiders. Remark that the cryptosystem remains a conventional 
cryptosystem! 

Such trapdoors (which are useless for outsiders if they only know the existence and 
location of the trapdoor) can be used, e.g. to reduce the misuse of an authentication 
system after it has been tampered. 

5. Conclusions 

In contradiction with the common ideas the Jcey length is not only the thing to protect 
against exhaustive key search machines. Cryptosystems were proposed acting partially 
similar as public key systems. Combining ideas of public key and conventional schemes, 
we proposed trapdoors in conventional systems. The trapdoors are detectable, but useless 
for outsiders. 



542 



A good key scheduling scheme is important. Very hard cryptosystems can be build, 
starting from simple ones, iterating them and using a hard key expansion (scheduling) 
scheme. 

REFERENCES 

[I] H. Beker and M. Walker, "Key management for secure electronic funds transfer in 
a retail environment," Advances in Cryptoiogy, Proceedings of Crypto '84, Santa 
Barbara, August 1984 (Lecture Notes in Computer Science, Springer- Verlag, 
Berlin, 1985), pp. 401 - 410. 

[2] M. Blum and S. Micali "How to generate cryptographically strong sequences of 
pseudo-random bits,' SIAM J. Comput., Vol. 13, No. 4. Nov. 1984, pp. 850 -864. 

[3] "Data Encryption Standard," FIPS (NBS Federal Information Processing Stan- 
dards Publ. ), no. 46, January 1977. 

[4] Y. Desmedt, J. -J. Quisquater and M. Davio, "Dependence of output on input in 
DES: Small avalanche characteristics, 3 Advances in Cryptoiogy, Proceedings of 
Crypto '84, Santa Barbara, August 1984 (Lecture Notes in Computer Science, 
Springer- Verlag, Berlin, 1985), pp. 359 - 376. 

[5] Y. Desmedt, "Unconditionally secure authentication schemes and practical and 
theoretical consequences," presented at Crypto '85, Santa Barbara, August, 1985, 
to appear in the proceedings: Advances in Cryptoiogy (Lecture Notes in Computer 
Science, Springer- Verlag, Berlin, 1986). 

[6] Y. Desmedt, F. Hoornaert and J. -J. Quisquater, paper in preparation. 

[7] W. Dime and M. E. Hellman, "Exhaustive cryptanalysis of the NBS Data Encryp- 
tion Standard," Computer, vol. 10, no. 6, pp. 74 - 84. June 1977. 

[8] M. E. Hellman, "A cryptanalytic time-memory trade-off," IEEE Trans. Inform. 
Theory, vol. 26, no. 4, pp. 401 - 406, July 1980. 

[9] F. Hoornaert, J. Goubert, and Y. Desmedt, "Efficient hardware implementations 
of the DES," Advances in Gryptology, Proceedings of Crypto '84, Santa Barbara, 
August 1984 (Lecture Notes in Computer Science. Springer- Verlag, Berlin, 1985), 
pp. 147 - 173. 

[10] B. S. Kaliski, R. L. Rivest and A. T. Sherman "Is DES a pure cipher? (Results 
of more cycling experiments on DES)," presented at Crypto '85, Santa Barbara, 
August, 1985, to appear in the proceedings: Advances in Cryptoiogy, (Lecture 
Notes in Computer Science. Springer- Verlag, Berlin. 1986). 

[II] A. Konheim, ^Cryptography : A Primer," John Wiley. Toronto, 1981. 

[12] J. -J. Quisquater and C. Couvreur, "Fast decipherment for RSA public-key cryp- 
tosystem," Electronics Letters, vol. 18, 14 fciL October 1982, pp. 905 - 907. 

[13] R. L. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital signa- 
tures and public key cryptosystems." Commiin. ACM, vol. 21, pp. 294 - 299, 
April 1978. 

[14] E. K. Yasaki, "Encryption algorithm : key size is the thing," Datamation, vol. 22, 
no. 5, pp. 164 - 166. March 1976. 



ACCESS CONTROL AT THE NETHERLANDS POSTAL AND TELECOMMUNICATIONS SERVICES 



Willem Haemers 

PTT, Dr Neher Laboratories 

Leidschendam, The Netherlands 



Abstract. The Netherlands Postal and Telecommunications Services (PTT) have developed 
a system that controles the entrance to their buildings by use of magnetic stripe 
cards. In this note some cryptographic aspects of the system are explained. 



The Netherlands PTT has about 100,000 employees and 2,000 buildings. Many of the 
employees have access to several buildings. The access control system provides each 
employee with only one magnetic stripe card, irrespective of the number of buildings 
the employee has access to. Because of the complexity of the situation an off-line 
system is prefered. It implies that the access information must be on the magnetic 
stripe card. The access information consists of the following subjects: 

- identity of the employee 

- buildings to which the employee has access 
times when access is allowed 

access under special circumstances 

- PIN-code 

- random information 

For reasons of security and organisation it is required that the card distribution 
center only is able to create cards. This is achieved by encrypting the information 
by means of a public key system. The secret encryption key, needed to create cards, 
is then only present at the center, whilst the public decryption key, needed to 
interpret the cards is present in each building. This kind of public key application 
can be found in [1] p. 512, and in [3]. 

Decryption is required to be implemented in PASCAL on a micro computer. A 
straightforward implementation of RSA takes about one minute. For decoding, this is 
much too long. Waiting at the entrance should not take more than half a second. One 
can speed up the decryption of RSA by use of a small exponent. However, Rabin [2] 
provides a system that in all cases is faster than RSA. The decryption formula for 
Rabin's system reads 

2 

(*) (clear text) = (cipher text) MOD (public key) , 

where, as in RSA, public key is the product of two large primes. Computation of this 
formula has been realized in about 300 ms (the number size is 480 bits). Encoding 
still takes about one ninute, but this is no problem. 

After a card is read at the entrance the card holder can be asked to identify himself 
by means of a PIN. The PIN is a number chosen by the card owner and has no prescribed 
length. The information necessary for PIN checking, the PIN-code, is also on the 
card. If the PIN is typed at the entrance, the PIN-code is computed and compared with 
the PIN-code on the card. The PIN-code depends on the PIN and the identity of the 
card owner via a one-way function. The one-way function used is Rabin's decoding 
formula (*) (only 32 bits of the outcome are taken for the actual PIN-code). 

It is impossible to prevent an exhaustive search attack on the PIN by anyone who 
knows the public key. Therefore the public key is not made public. However, it is 
straightforward to derive the public key from the plaintext and the ciphertext of 
about two cards. Therefor knowledge of the full plaintext is prevented by means of 
the random information on the card. The random information also prevents a chosen 



H.C. Williams (Ed.): Advances in Cryptology - CRYPTO '85, LNCS 218, pp. 543-544, 1986. 
© Springer- Verlag Berlin Heidelberg 1986 



544 



plaintext attack which is known to exist for- the used application of Rabin's system. 
REFERENCES 

[1] Meyer, C.H. 4 Matyas, S.H., "Cryptography: A New Dimension in Computer Data 

Security", John Wiley & Sons Inc., New-York, 1982. 
[2] Rabin, M.O., "Digitalized Signatures and Public-Key Functions as Intractable as 

Factorization", MIT/LCS/TR-21 2 (1979). 
[3] Simmons, G.J., "A System for Point-of-Sale or Access, User Authentication and 

Identification", Proc. Crypto '82, Santa Barbara, pp. 31-37. 



Author Index 



Adleman, Leonard M. 3 


Miller, Victor S. 417 


Berger, Richard 87 


Moore, T.E. 227 


Bennett, Charles 468 


Nakamura, K. 246 


Blakley, G.R. 180,282 


Odlyzko, A.M. 516 


Boekee. D.E. 489 


Okamoto, E. 246 


Brassard, Gilles 468 


Peralta, Rene 87 


Brickell, Hmest F. 28 


Pinter, S. 158 


Chaum, David 18, 192 


Purdv, G.B. 180 


Chor, Benny 448 


Quisquater, J. -J. 537 


Cohen, Gerard D. 458 


Rackoff, Charles 447 


Coppersmith, Don 14, 104, 535 


Reif, J.H. 433 


Crepcau, Claude 73 


Reuppel, Rainer A. 260 


Davio, M. 537 


Rivest, Ronald L. 212 


de Jonge, Wiebren 18 


Robert, Jean-Marc 468 


DeLaurentis, John M. 28 


Siegenthaler, T. 273 


Desmedt, Yvo 42, 516. 537 


Shamir, Adi 58, 280 


Diffie, Whitfield 108, 340 


Sherman, Alan T. 212 


El Gamal, Taher 396 


Simmons, Gustavus J. 33 


Estes, Dennis 3 


Stephens, N.M. 409 


Even, Shimon 58 


Tavares, S.E. 227, 523 


Evertse, Jan-Hendrik 192 


Tygar, J.D. 433 


Feigenbaum, Joan 477 


van TiJburg, J. 489 


Fell, Harriet 340 


Varadharajan, V. 369 


Galil, Zvi 128 


Webster, A.F. 523 


Godlewski, Phillippe 458 


Williams, H.C. 358 


Goldreich, Oded 58, 448 


Wolfram, Steven 429 


Goldwasser, Shaft 448 


Yung, Moti 128 


Gosler, James R. 140 




TTl , , , ^ a 

Haber, Stuart 128 




Haemers, W. 543 




llastad. Johan 403 




Herzberg, A. 158 




Kaliski, Burt S. 21 2 




Kannan, Sampath 87 




Kochanski, Martin 350 




Kompella, Kireeti 3 




Luby, Michael 447 




McCurley. Kevin S. 3 




Meadows. Catherine 180 




Miller. Gary L. 3 





Keyword Index 



Algebraic number fields 387 
Algorithm 355. 366 
Alphabet 284 
Arithmetic 284 
Authentication 42. 132 
Authentic public channel 468 
Avalanche variable independence 

526, 527 
Basis reduction algorithm 105 
B h a 1 1 ac h a ry y a - d i s t an c e 492 
Birthday phenomenon 14 
Bit security 448 
Blockciphers 192 
Boolean polynomials 280 
Buffers 240 
Cantor Set 429 
Cellular automaton 429 
Chosen signature 19 
Chosen text attack 516 
Class number 401 
Closed cipher 214 
Completeness 523 
Computing with encrypted data 477 
Confusion 283 

Conventional cryptosystem 160. 340 
Correlation-Immunity 262, 274 
Cryptanalysis 29, 32. 248 
Cryptographic protocols 58 
Cryptosystem 283 
Cycle detection algorithm 214 
Cycle structure 536 
Cyclotomic field 396, 397 
Cyclotomic polynomial 397, 399 
Data transfer 109 

DHS 14, 50. 192, 213, 293, 531, 535, 
5.37 

Digital credit card 461 
Digital signatures 32 
Diffusion 283 
Disclosure rate 248 



Discrete elliptic logarithms 421 
Discrete logarithms 105, 396, 5 1 8 
Discrete message 1 89 
Discriminant 419 
Divide and conquer attack 274 
Elliptic curve 410, 418 
Encryptable problem 477 
End-to-end security 108 
Error probability 489 
Exponentiation 104 
Extended RSA system 382 
F-divergence 492 
Factoring 89, 363, 373, 448 
Factorization 409 
Factorization trapdoor 392 
FAP4 350 
Fingerprint 180 
Finite field 396, 397, 400 
F'inite permutation group 214 
Finite state machine 262, 265, 273 
Flow control 109 
Forger 1 8 

Forgiving message 1 80 
Group 284 
Hard bits 129 

I lardware security devices 142 
Ideal classes 399, 401 
Immutable codes 459 
Imperfect private channel 468 
Incremental locked codes 460 
Independencies of key bits 1 93 
J-ring 342 
Jacobi symbol 359 
Key 

exchange 421 
lifetime 248 

distribution schemes 247 
scheduling scheme 537 
Key-equivocation 489 
Known plaintext attack 192 
Lattice algorithms 405 



547 



Layer interaction 230 

Layer transparency 230 

Layered cryptosystem 228 

Lenstra algorithm 414.519 

Linear complexity 270 

Linear congruential generators 439 

Link security 108 

Logarithmic height 419 

Logarithms 105 

Matrix 286 

Matrix based RSA system 384 
Matrix ring 377 

Meet-in-the-middle attack 14. 192 
Mental poker 104 
Message authentication 14,15 
Multi-Party protocols 449 
Multiple encryption 2 1 3 
Multivariate polynomial 340 
Nilpotent ring 341 
NP 430 

NP-complete problem 482 
NPnCo-NP 488 

One time pad (Vcrnam) 43 
p-1 method 413 
P-Isomorphism 483 
Parallel computation 435 
Partial factorization 449 
Partial information 448 
Pe-security distance 502 
PIN 543 
Pirate 182 

Polynomial rings 383 
Predicate reducibility 452 
Probabilistic Turing Machine 88 
Protocol 

coin flipping 88 

cryptographic 90, 128 

distribution 165 

ping-pong 60 

poker 73 

replacement 166 



transmission control 108 
Pseudo random function 447 
Pseudo random permutation 447 
Public key authentication system 28 
Public key cryptosystems 

59, 129, 160, 340, 358, 369. 403 
Public key signature scheme 28 
Pure cipher 215, 495 
Quadratic congruences 3 
Ramp scheme 285 
Random number generation 434 
Redundancy 19 
Reliability 109 
Replacement 2X2 
RNC 435 
RSA chip 350 
RSA cryptosystem 

18, 51, 59, 358, 373. 403, 516, 

543 

Running-key generator 260, 268 
S-Boxes 280, 527, 529 
Seq uences of 1 inear f ac tors 192 
Signatures 3, 18, 144 
Smooth numbers 413 
Software analysis denial 146 
Software protection 140.158 
S-P Networks 529, 530 
Statistical tests 433. 437 
Stream cipher 49, 260. 273. 429 
Strict avalanche criterion 524. 525 
Subliminal channel 32 
Summation generator 268 
Symmetric encryption scheme 1 30 
Symmetric group 286 
Symmetrical cryptosystem 232 
Tampering 469 

Technology denial concepts 147 
Three-layered algorithm 238 
Three-way handshake 1 12 
Transaction system 1 67 
Transmission errors 469 



548 

Transposition cipher 286 
Trapdoor 

algorithm 541 

permutation 129 

ring 374 
Unconditional security 42, 53 
Universal algebra 290 
Vector space 284 
Weak keys 535 
"Write-once" memories 458 



